Source: 00000000.00000002.2126876651.000000000007C000.00000004.00000001.01000000.00000003.sdmp | Malware Configuration Extractor: CopperShrimp {"C2 url": "tztwo2ht.top", "urls": ["/index.php", "/gate.php", "/zip.php", "/upload.php"]} |
Source: vk2wTOx91s.exe.3788.0.memstrmin | Malware Configuration Extractor: Cryptbot {"C2 list": ["tztwo2ht.top"]} |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cache2\doomed\ | Jump to behavior |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ | Jump to behavior |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\ | Jump to behavior |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cache2\ | Jump to behavior |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cache2\entries\ | Jump to behavior |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\ | Jump to behavior |
Source: global traffic | HTTP traffic detected: POST /upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary77938395User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 348Host: tztwo2ht.top |
Source: global traffic | HTTP traffic detected: POST /upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary40876462User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 1424Host: tztwo2ht.top |
Source: global traffic | HTTP traffic detected: POST /upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary86828523User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 79310Host: tztwo2ht.top |
Source: vk2wTOx91s.exe, 00000000.00000002.2128379629.00000000016BE000.00000004.00000020.00020000.00000000.sdmp, vk2wTOx91s.exe, 00000000.00000002.2128379629.00000000016E2000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://tztwo2ht.top/ |
Source: vk2wTOx91s.exe, 00000000.00000002.2128379629.00000000016D9000.00000004.00000020.00020000.00000000.sdmp, vk2wTOx91s.exe, 00000000.00000002.2128379629.00000000016BE000.00000004.00000020.00020000.00000000.sdmp, vk2wTOx91s.exe, 00000000.00000002.2128379629.00000000016E2000.00000004.00000020.00020000.00000000.sdmp, vk2wTOx91s.exe, 00000000.00000003.2093528924.00000000016F9000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://tztwo2ht.top/upload.php |
Source: vk2wTOx91s.exe, 00000000.00000002.2128379629.00000000016E2000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://tztwo2ht.top/upload.phpe |
Source: vk2wTOx91s.exe, 00000000.00000003.2118934307.0000000001714000.00000004.00000020.00020000.00000000.sdmp, vk2wTOx91s.exe, 00000000.00000002.2128567322.0000000001714000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://tztwo2ht.top:80/upload.php |
Source: vk2wTOx91s.exe, 00000000.00000003.2118934307.0000000001714000.00000004.00000020.00020000.00000000.sdmp, vk2wTOx91s.exe, 00000000.00000003.2093528924.0000000001700000.00000004.00000020.00020000.00000000.sdmp, vk2wTOx91s.exe, 00000000.00000003.2093562903.0000000001713000.00000004.00000020.00020000.00000000.sdmp, vk2wTOx91s.exe, 00000000.00000002.2128567322.0000000001714000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://tztwo2ht.top:80/upload.phpMicrosoft |
Source: vk2wTOx91s.exe, 00000000.00000003.2092456123.0000000001937000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://ac.ecosia.org/autocomplete?q= |
Source: vk2wTOx91s.exe, vk2wTOx91s.exe, 00000000.00000002.2126836787.000000000006D000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://brewdogebar.com/code.vue |
Source: vk2wTOx91s.exe, 00000000.00000003.2092456123.0000000001937000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q= |
Source: vk2wTOx91s.exe, 00000000.00000003.2092456123.0000000001937000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search |
Source: vk2wTOx91s.exe, 00000000.00000003.2092456123.0000000001937000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command= |
Source: vk2wTOx91s.exe, 00000000.00000003.2092456123.0000000001937000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://duckduckgo.com/ac/?q= |
Source: vk2wTOx91s.exe, 00000000.00000003.2092456123.0000000001937000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://duckduckgo.com/chrome_newtab |
Source: vk2wTOx91s.exe, 00000000.00000003.2092456123.0000000001937000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q= |
Source: vk2wTOx91s.exe, 00000000.00000003.2092456123.0000000001937000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://www.ecosia.org/newtab/ |
Source: vk2wTOx91s.exe, 00000000.00000003.2092456123.0000000001937000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | Code function: 0_2_00053CD0 | 0_2_00053CD0 |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | Code function: 0_2_0005EFB0 | 0_2_0005EFB0 |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | Code function: 0_2_000510A0 | 0_2_000510A0 |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | Code function: 0_2_0006B27D | 0_2_0006B27D |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | Code function: 0_2_00053480 | 0_2_00053480 |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | Code function: 0_2_00053580 | 0_2_00053580 |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | Code function: 0_2_007B2642 | 0_2_007B2642 |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | Code function: 0_2_0070269F | 0_2_0070269F |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | Code function: 0_2_0005A8F0 | 0_2_0005A8F0 |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | Code function: 0_2_00051C40 | 0_2_00051C40 |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | Code function: 0_2_00052D00 | 0_2_00052D00 |
Source: vk2wTOx91s.exe, 00000000.00000003.2092393305.0000000001924000.00000004.00000020.00020000.00000000.sdmp, vk2wTOx91s.exe, 00000000.00000003.2092651705.0000000001924000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key)); |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | Section loaded: winhttp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | Section loaded: webio.dll | Jump to behavior |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | Section loaded: mswsock.dll | Jump to behavior |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | Section loaded: iphlpapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | Section loaded: winnsi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | Section loaded: dnsapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | Section loaded: rasadhlp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | Section loaded: fwpuclnt.dll | Jump to behavior |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | Section loaded: dpapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | Section loaded: cryptbase.dll | Jump to behavior |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | Section loaded: windowscodecs.dll | Jump to behavior |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | Section loaded: msasn1.dll | Jump to behavior |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | Code function: 0_2_006EC4D1 pushfd ; ret | 0_2_006EC50E |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | Code function: 0_2_00774688 push ss; retf B8E1h | 0_2_007746E3 |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | Code function: 0_2_006E7AFD push 80857E55h; retf | 0_2_006E7B0A |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | Code function: 0_2_006FFB21 push ecx; ret | 0_2_006FFB34 |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | Code function: 0_2_006E8E7A pushfd ; retf | 0_2_006E8E7E |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | API/Special instruction interceptor: Address: 8138A8 |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | API/Special instruction interceptor: Address: 9A9ECC |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | API/Special instruction interceptor: Address: 9A0717 |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | API/Special instruction interceptor: Address: 823FE1 |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | API/Special instruction interceptor: Address: 833491 |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | API/Special instruction interceptor: Address: 97EE48 |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | API/Special instruction interceptor: Address: 81FF81 |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | API/Special instruction interceptor: Address: 9C5180 |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | API/Special instruction interceptor: Address: 980BC5 |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | API/Special instruction interceptor: Address: 9C4BBE |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cache2\doomed\ | Jump to behavior |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ | Jump to behavior |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\ | Jump to behavior |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cache2\ | Jump to behavior |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cache2\entries\ | Jump to behavior |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\ | Jump to behavior |
Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Canara Transaction PasswordVMware20,11696428655x |
Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: discord.comVMware20,11696428655f |
Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: interactivebrokers.co.inVMware20,11696428655d |
Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655 |
Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: global block list test formVMware20,11696428655 |
Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Canara Transaction PasswordVMware20,11696428655} |
Source: vk2wTOx91s.exe, 00000000.00000003.2093528924.0000000001700000.00000004.00000020.00020000.00000000.sdmp, vk2wTOx91s.exe, 00000000.00000003.2118934307.0000000001700000.00000004.00000020.00020000.00000000.sdmp, vk2wTOx91s.exe, 00000000.00000002.2128520300.0000000001700000.00000004.00000020.00020000.00000000.sdmp, vk2wTOx91s.exe, 00000000.00000002.2128379629.00000000016BE000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW |
Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655 |
Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^ |
Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: account.microsoft.com/profileVMware20,11696428655u |
Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE |
Source: vk2wTOx91s.exe, 00000000.00000003.2093528924.0000000001700000.00000004.00000020.00020000.00000000.sdmp, vk2wTOx91s.exe, 00000000.00000003.2118934307.0000000001700000.00000004.00000020.00020000.00000000.sdmp, vk2wTOx91s.exe, 00000000.00000002.2128520300.0000000001700000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAWak |
Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: www.interactivebrokers.comVMware20,11696428655} |
Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p |
Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n |
Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: outlook.office365.comVMware20,11696428655t |
Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x |
Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655 |
Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: outlook.office.comVMware20,11696428655s |
Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~ |
Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: ms.portal.azure.comVMware20,11696428655 |
Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: AMC password management pageVMware20,11696428655 |
Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: tasks.office.comVMware20,11696428655o |
Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z |
Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: turbotax.intuit.comVMware20,11696428655t |
Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: interactivebrokers.comVMware20,11696428655 |
Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655 |
Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: dev.azure.comVMware20,11696428655j |
Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: netportal.hdfcbank.comVMware20,11696428655 |
Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Interactive Brokers - HKVMware20,11696428655] |
Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: bankofamerica.comVMware20,11696428655x |
Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h |
Source: vk2wTOx91s.exe, 00000000.00000003.2092737236.000000000194A000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655 |
Source: vk2wTOx91s.exe | String found in binary or memory: \Electrum\wallets |
Source: vk2wTOx91s.exe | String found in binary or memory: \ElectronCash\wallets |
Source: vk2wTOx91s.exe | String found in binary or memory: \Jaxx |
Source: vk2wTOx91s.exe | String found in binary or memory: \Exodus\backup |
Source: vk2wTOx91s.exe | String found in binary or memory: \Exodus Eden |
Source: vk2wTOx91s.exe | String found in binary or memory: Ethereum (UTC) |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite | Jump to behavior |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies | Jump to behavior |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data | Jump to behavior |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data | Jump to behavior |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data | Jump to behavior |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db | Jump to behavior |
Source: C:\Users\user\Desktop\vk2wTOx91s.exe | File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies | Jump to behavior |